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INTRODUCTION 


In  a  previous  report  [MP2]  we  introduced  the  temporal  framework  for  reasoning  about  con¬ 
current  programs.  Wc  described  the  model  of  concurrent  programs  that  we  study  which  is  based 
on  interaction  via  shared  variables  and  defined  the  concept  of  fair  execution  of  such  programs.  We 
then  demonstrated  the  application  of  the  temporal  logic  formalism  to  the  expression  of  properties 
of  concurrent  programs.  Program  properties  of  interest  can  be  classified  according  to  the  syntactic 
form  of  the  temporal  formula  expressing  them;  wc  studied  three  classes  of  properties:  invariance 
properties,  eventuality  properties  and  precedence  properties.  Wc  have  shown  that  almost  all  of  the 
program  properties  that  were  ever  considered  or  studied  for  either  sequential  or  concurrent  pro¬ 
grams  fall  into  one  of  these  three  categories.  These  include  properties  such  as  partial  correctness, 
clean  behavior,  global  invariants,  mutual  exclusion,  safety,  deadlock  absence,  output  integrity  in 
the  invariance  category;  total  correctness,  intermittent  assertion  realization,  accessibility,  liveness, 
responsiveness  in  the  eventualities  category;  and  safe  liveness,  absence  of  unsolicited  response, 
FIFO  responsiveness  and  general  precedence  in  the  precedence  category. 

In  this  paper,  a  sequel  to  [MP2],  we  concentrate  on  the  application  of  the  temporal  logic 
formalism  to  proving  these  properties.  We  would  thus  present  methods  for  establishing  that  a 
given  program  indeed  possesses  a  certain  property.  In  principle,  once  a  property  has  been  expressed 
within  the  temporal  logic  formalism,  and  an  appropriate  temporal  characterization  of  the  behavior 
of  the  given  program  derived  ([MAN1],  [MP1],  [PNU1],  [PNU2]),  the  task  of  proving  that  the 
property  holds  for  this  program  reduces  to  proving  the  validity  of  a  certain  temporal  implication. 
This  implication  states  that  every  sequence  of  states,  if  it  is  a  fair  computation  of  the  given 
program,  has  the  desired  property. 

These  principles  can  be  justified  by  the  general  temporal  formalism,  and  once  justified,  provide 
direct,  simple,  and  intuitive  rules  for  the  establishment  of  these  properties.  They  usually  replace 
long  but  repetitively  similar  chains  of  primitive  steps  in  more  detailed  proofs,  and  help  us  focus 
on  the  higher  level  overview  of  the  proof  while  retaining  the  necessary  standard  of  rigor. 

Previous  attempts  to  develop  proof  techniques  for  concurrent  programs  include  [KEL],  [LAM] 
and  [OG]. 

In  our  exposition,  we  assume  that  the  reader  is  familiar  with  the  concepts  and  definitions 
introduced  in  our  first  paper  of  this  series  [MP2]. 

TUB  INVARIANCE  PRINCIPLE 


Consider  a  typical  concurrent  program  P  of  form 

(*:=/«»(*)); 

with  input  parameters  x  =  (xj,  and  shared  program  variables  y  =  (yi,  over  a 

domain  D.  Let  ^  be  a  classical  formula,  i.e.,  a  formula  with  no  modal  operators.  The  basic  idea 
in  proving  that  the  formula  is  an  invariant  of  the  program  Pt  t.e. 

P  <p(x)  1  ChJ), 

is  to  show  that: 
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(a)  the  precondition  <p{%)  implies  that  i}>  iS  true  initially. 


(b)  -0  is  preserved  by  any  possible  transition  of  the  program  P;  that  is,  if  it  were  true  before 

the  transition  then  it  also  will  be  true  after  the  transition. 

We  can  then  infer  the  invariance  of  0  under  the  precondition  ^>(j). 

To  state  the  result  more  precisely,  let  Q(w\y)  be  a  “state  property”,  i.e.,  it  is  expressed  by 
a  classical' formula  with  ho  temporal  operators,  which  may  refer  to  the  location  variables  7f,  the 
program  variables  y,  and  possibly  some  global  variables. 


Let 


[v  ■=  Uv)\ 


be  a  transition  in  process  Pj  for  some  j  =  1,  . .  .  ,m.  With  each  such  transition  we  associate  the 
location  transformation  function  ra  given  by: 

t  •  •  •  f  H  J  i  •  •  •  t  ^m)  =  (^i »  •  •  •  i  ^  f  •  ■  •  )  ^m)» 

i.e.t  the  value  of  7r;  is  replaced  by  while  the  value  of  each  7 r*,  i  j ,  is  unchanged.  This 
transformation  denotes  the  change  in  the  vector  7f  when  transition  a  is  taken,  much  in  the  same 
way  that  fa  denotes  the  change  in  y  when  a  is  taken. 

The  notation  we  use  to  express  the  location  change  as  a  transformation  underlines  the  similarity 
between  the  location  and  program  variables.  This  leads  to  the  possible  description  of  a  transition 
as: 


[af£  A  ca(2/)) 


[(*;p):=M*);/a(!7))I 


O 


A  property  Q(7f;y)  is  said  to  be  inductive  for  P  if  the  following  verification  condition  holds 
for  each  transition  a  in  P: 

Vq  :  [af£  A  ca(y)  A  <?(*;!/)]  3  Q(ra(^),  fe,(y))- 

Intuitively,  Q  is  inductive  if  it  is  inherited  along  every  transition  ».e.,  if  it  was  true  before  the 
transition  and  the  transition  was  enabled,  it  will  necessarily  be  true  after  the  transition.  Note  that 
the  verification  condition  is  classical,  in  the  sense  that  it  contains  no  temporal  operators,  and  can 
therefore  be  established  using  classical  proof  techniques. 

Our  proof  rule  for  invariance  may  now  be  formulated  as  follows: 


_ _  1 

The  Invariance  Principle 

Let  Q(T;  5)  be  a  state  property  of  a  program  P  such  that: 

1.  Q  is  true  initially;  ie.t 

I:  [a<2£  A  ¥>(s)]  3  Q(n;  fo{x)) 

holds,  where  £0  =  (£q>  •  •  •  ^cP)  the  vcc^or  of  initial  locations. 

2.  Q  is  inductive  for  P\  i.e.,  the  verification  condition 

Vo  :  [at  l  A  cQ(j/)  A  Q(^‘,y)\  3  Q(ra{*);  fa(y)) 

holds  for  every  transition  a  in  P. 

Then  we  may  deduce 

*  [a<4A^(s)]  3  □£(»;?). 


Condition  l  ensures  that  Q  is  true  initially,  provided  we  restrict  ourselves  to  inputs  x  satisfying  ip 
and  condition  2  ensures  that  once  Q  is  true  it  remains  so.  The  conclusion  is  that  Q  is  invariantly 
true  for  all  (P,  ^-computations. 

Note  that  this  proof  principle  reduces  the  proof  of  a  temporal  formula  of  the  invariance  class 
into  a  classical  proof  of  a  set  of  formulas,  namely  the  initial  condition  I  and  the  verification 
conditions  VQ . 

The  principle  of  invariance  described  here  is  the  most  general  method  known  for  proving 
invariance  properties  of  concurrent  programs.  It  can  be  shown  to  underlie  all  other  proposed  proof 
methods  for  invariance  properties. 


PRAGMATIC  CONSIDERATIONS  IN  CHECKING  FOR  INDUCTIVENESS 


In  principle,  when  checking  for  the  inductivencss  of  an  assertion  Q  one  has  to  check  the 
verification  condition  Va  for  all  transitions  a  in  the  program.  However,  in  practice,  we  can  im¬ 
mediately  discard  many  transitions  as  automatically  preserving  Q,  based  on  syntactic  considera¬ 
tions  alone. 

If  the  property  Q  does  not  contain  any  of  the  location  variables  7f,  then  the  required  verification 
conditions  V&  arc  reduced  to 

V"Q:  K(v)  A  Q(s/)]  3  Q{U ;»)). 

In  particular,  Vfa  is  trivially  true  for  any  transition  a  where  /a  docs  not  modify  the  variables  on 
which  Q  actually  depends. 

A  typical  case  is  that  of  semaphores.  Wc  have  the  following  property: 

The  Semaphore  Variable  Rule :  For  a  semaphore  variable  yf 
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if  its  initial  value  is  a  non  negative  integer 

and  if  it  is  modified  only  by  request  and  release  instructions, 
then 

*  0(y  >  0). 

The  only  two  instructions  that  may  modify  the  value  of  a  semaphore  variable  are: 
rcque8t(y)t  which  is  equivalent  to 


y  >  0 


[y  .=  y-  l] 


and  relea8e(y ),  which  is  equivalent  to 


true  -♦  [y  :=  y  +  lj 


For  the  request  case  the  verification  condition  is 
{{y  >  0)  A  (y  >  0)]  3  (y  -  1  >  0). 

For  the  release  transition  the  verification  condition  is 
[true  A  (y  >  0))  3  (y  +  1  >  0). 

Both  conditions  are  trivially  true.  Thus,  since  the  initial  value  of  the  semaphore  variable  y  is 
nonnegative  and  it  is  modified  only  through  the  semaphore  instructions  rcquest(y)  and  release(y)t 
it  follows,  by  the  Invariance  Principle,  that  y  is  invariantly  nonnegative,  t.e.  *  D(y  >  0). 

For  another  example,  let  us  consider  a  typical  assertion  of  the  form: 

Q(*;y)  :  atL  3 

where  L  is  a  set  of  locations  in  P  and  does  not  depend  on  the  location  variables.  For  an  arbitrary 
transition  a  of  the  form 


Co(5)  - 


[V  .=  fa(y)\ 


the  verification  condition  is 

Vo:  {ca(v)  A  [(*€/,)  3  3  ((/'€/.)  3  *(/.(F))|, 

or  equivalently, 

K(f)  a  [{if  I)  V  <Kv)\  A  (t  £  L)}  3  4>(fa(y))‘ 


There  arc  three  cases  to  consider. 


Case :  V  L  (outside  or  leaving  L).  Then  Va  \s  trivially  true,  since  the  antecedent  of  the 
implication  is  false. 

Case:  l&L,  t  £  L  (entering  L).  Then  VQ  is  reduced  to 

ca(y)  o  4>{fa{y))- 

Cast:  l,  t!%  £  L  (within  L).  Then  VQ  is  reduced  to 

Mi?)  a  <t>(y)]  3 

Thus,  we  only  have  to  consider  a’s  which  fall  into  the  two  latter  cases. 

EXAMPLE:  CONSUMER-PRODUCER 

Let  us  illustrate  an  application  of  the  invariance  principle  to  the  Consumer-Producer  program 
(program  CP  of  [MP2]). 


b  :=  A,  s  1,  cf  :=  0,  ce 

:=  N 

Iq  :  compute  3/1 

m0  : 

reque8t(cf) 

ti  :  request(ce) 

mi  : 

reque8t{s) 

t2  :  request(s) 

m2  : 

y2  ;=  head(b) 

s* 

0 

11 

•4^ 

e*s 

m3  : 

t2  —  tail(b) 

tA:  b:=ti 

m4  : 

b  :=  t2 

ts  :  releaae(s) 

m5  : 

release (s) 

Is  :  relcaae(cf) 

m6  : 

release(ce) 

I?  :  go  to  Iq  ni7  :  compute  using  y2 

mg  :  go  to  mo 

—  Pi  :  Producer  —  —  P2  :  Consumer  — 

The  producer  P\  computes  a  value  into  y\  without  using  any  other  program  variables;  the 
computation  details  being  irrelevant.  It  then  adds  y \  to  the  end  of  the  buffer  6.  The  consumer  P2 
removes  the  first  clement  of  the  buffer  into  y2  and  then  uses  this  value  for  its  own  purposes  (at 
1117).  It  is  assumed  that  the  maximal  capacity  of  the  buffer  b  is  N  >  0.  The  'compute  using  y2' 
instruction  references  y2  but  does  not  modify  any  of  the  shared  program  variables. 

In  order  to  ensure  the  correct  synchronization  between  the  processes  we  use  three  semaphore 
variables:  The  variable  s  ensures  that  the  accesses  to  the  buffer  are  protected  and  provides  exclusion 
between  the  sections  (£3,  £4,  £5)  and  (m2,  m3,  m4,  ms).  The  variable  ce  (“count  of  empties”)  counts 
the  number  of  free  available  slots  in  the  buffer  6.  The  variable  cf  (“count  of  fulls”)  counts  how 
many  items  the  buffer  currently  holds. 
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The  initial  condition  is  given  by: 

at Iq  A  atrno  A  (6  =  A)  A  (s  =  1)  A  (cf  =  0)  A  (ce  =  N)r 

We  will  use  invariances  to  prove  several  properties  of  this  program. 

First,  we  observe  that  due  to  the  semaphore  variable  rule 

(1)  t  □!(«>  0)  A  (c/>  0)  A  (ce>  0)]. 

Mutual  Exclusion 

The  exclusive  access  to  the  critical  sections 
Z/ =  {/3,/4>/5} 

M  =  {m2,m3,?n4,m5} 
can  be  expressed  as: 

N  □  ~(atL  A  at  M)f 

t.e.,  it  is  never  the  case  that  7r |  £  L  and  tt2  €  M  simultaneously. 

Since  only  one  atli  and  only  one  atm*  can  be  true  at  a  given  instant  it  is  suflicient  to  prove: 

(2)  *  D[{atL+atM)  <  lj. 

Note  the  mixed  notation  that  treats  propositions  as  numerically  valued  with  true  =  1,  false  =  0. 

Formula  (2)  states  an  invariance  property.  It  will  be  proved  by  showing  the  invariance  of  the 
assertion: 

Q\  :  atL  4-  atM  +  5=1. 

By  the  invariance  principle  we  have  to  show  that  Q\  is  true  initially  and  that  Q\  is  inductive  for 

P. 

Initially,  we  have  that  s  —  l  and  that  at  to  =  at  mo  =  1  which  implies  that  atL=atM  =  0. 
Thus  the  left-hand  side  of  the  equality  in  Q\  evaluates  to  l  and  we  have  that  Q\  holds  initially. 

Next,  we  have  to  check  that  Q \  is  inductive,  i.c.,  preserved  by  every  transition  in  P.  From 
inspection  of  the  variables  on  which  Q i  depends,  it  is  clear  that  it  is  sufficient  to  check  the 
transitions  that  cither  modify  s  or  modify  the  atL  or  atM  propositions.  The  only  candidates  for 
modifying  Qi  arc  therefore  the  transitions  — ►  £3,  — ►  t§}  m{  — ►  m2t  and  7715  — ►  m6. 

Take,  for  example,  the  transition  l2  — ►  £3.  Going  through  this  transition  changes  at  l,  from  0 
to  1  increasing  the  sum  by  1.  But,  as  s  is  decremented  by  1,  the  sum  remains  constant.  Similar 
checks  of  the  other  transitions  will  show  that  they  all  leave  the  sum  invariant.  This  establishes  the 
iriductivcncss  of  Q\. 
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Wc  may  therefore  conclude  by  the  Invarianee  Principle  that 

*  UQX 

t.e.,  Q i  is  an  invariant  of  the  program  P. 

The  combination  of  CHQi  and  the  semaphore  property  □(#  >  0)  implies  property  (2)  that 
proves  mutual  exclusion. 


Proper  Management  of  the  Buffer 

Here  we  would  like  to  show  that 
(3)  N  D(0  <  \b\  <  N), 

i.e.y  the  buffer’s  maximum  capacity  is  never  exceeded  throughout  the  execution  and  no  attempt  is 
made  to  remove  an  element  from  an  empty  buffer. 

We  first  establish  the  invariance  of  the  following  inductive  assertion: 

Q2  :  cf  +  ce  +  aff‘2.  6  +  a*ml..6  —  N 

We  use  here  our  abbreviated  notation,  where  at  £2 .  .6  stan  ds  for  at{£2,  ■  ■  ■  ,M>  *•«•»  ^1  G  {^2,  •  •  • 
and  atrn\  .<5  stands  For  at{iri\,  . .  .  ,?«#}»  *•*•>  ^2  €  {mj,  . . .  ,Tri6}.  As  before,  the  whole  conjunc- 
tion  is  interpreted  arithmetically:  1  standing  for  true  and  0  for  false .  By  inspection  of  the  relevant 
transitions  we  verify  that  is  indeed  inductive  and  initially  true,  and  thus  is  invariant,  t.e., 

N  □  Q2- 


Next  consider  another  necessary  invariant  assertion: 

^3:  cf  +  atfri6  +  atm  XmA  =  \b\, 

where  \b\  is  the  size  of  the  buffer  b.  To  establish  the  invariance  of  Q3  we  have  to  also  establish  the 
invariance  of 

Q4:  att4  D  (|t||  =  |6|  +  l) 

and 

:  atrn4  D  (|<2|  +  1  =  |6|). 

Wc  will  check  for  the  joint  invariance  oF  Q3,  Qir  and  Q&  and  establish  D(Q3  AQ4  A  Qs). 

The  conjunction  Q3AQ4  AQs  is  initially  of  the  Form  (0  =  0)A  (false  D  ...)A  (false  D  ...)  which 
is  clearly  true. 

In  order  to  check  the  inductiveness  of  Q3  A  Q*  A  Qr>  we  must  check  every  relevant  transition 
of  the  program  CP.  Let  us  consider  two  typical  transitions: 
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/3  -  l4 : 


Q 3  and  Q 5  are  not  affected  at  all.  In  Q 4,  both  and  |fi|  =  |6|  +  1  become  true  on  this 
transition!  so  that  Q4  is  true  after  the  transition. 


li  -  *5: 

Here,  Q3,  Qit  and  Q 5  are  all  affected  by  the  transition  and  we  would  like,  therefore,  to 
illustrate  the  proof  of  a  verification  condition  along  this  transition  in  greater  detail.  The  verification 
condition  is: 

[atli  A  Qi{Tt-,y)  A  Q4*;y)  A  Qs{*-,y)) 

3  [  Qs(r(*);  /(»))  A  <?4(r(7T);  /(y))  A  Qs(rffl;  f(y))  ] 


where 


r(irj,ir2)  =  (4»7r2) 

f(b,s,cf,cetti,t2)  =  (tus,cf,ce,tut2). 


The  proof  proceeds  in  the  following  steps: 


1. 

atl^ 

given 

2. 

a^5,6  =  0 

from  l 

3. 

cf  +  =  |6| 

by  (h 

4. 

l*i|  =  IM  +  1 

by  Q< t  using  1 

5. 

cf  +  1  +  atmj  .4  =  |6|  +  I 

by  adding  l  to  both  sides  of  3 

6. 

c/  +  (£5  G  {£5,^})  +  afmi..4  =  \t{\ 

from  5  using  4 

7. 

Qs(rM;  J(y)) 

by  definition  of  r  and  /  using  Q3 

Consider  next  Qi(r(n) ;  /(]/)): 

8. 

(<5  —  £4)  D  (|<i|  =  |ti|  +  l) 

tautology 

9. 

Qi(r(n); /{y)) 

by  definition  of  r  and  /  using  Q 4 

As  for  <?5(r(?r);  f(v)): 


10.  ~  at  mi 

11.  a<m4  D  (|<2|+  1  =  |f.|) 

12.  Q5(r(w); /($)) 
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by  1  and  mutual  exclusion  (2) 
from  12 

by  definition  of  r  and  /  using 


This  concludes  the  proof  of  the  verification  condition  Tor  transition  — ►  £5.  Therefore  Q3  AQ4  AQ5 
is  inductive  along  the  transition  t\  — >  ^5.  We  can  similarly  check  that  it  is  inductive  along  all  the 
other  transitions. 

Thus  we  have  established: 

E  d(Qz  A  Q\  A  Qs)- 


Let  us  now  proceed  to  infer  the  proper  management  of  the  buffer  6,  t.e.,  D(0  <  \b\  <  N). 

First  observe  that  by  Q$f  \b\  is  e(|ual  to  a  sum  of  variables  all  of  which  are  nonnegative.  Thus 
we  have 


N  D(|6|  >  0). 

On  the  other  hand  we  have  by  and  Q2  that 
|6j  -  ef 

—  a^5,6  +  &tm  1..4 

<  att  2.. (j  +  atm  i..6 
—  N  —  (cf  +  ce) 

The  first  equality  is  a  direct  consequent  of  Q 3.  The  inequality  results  from  the  fact  that  {^5,^} 
is  a  subset  of  .  .  .  ,  and  {mi,  .  .  .  ,m^}  is  a  subset  of  {mj,  .  .  .  ,7715}.  The  second  equality 
is  a  direct  consequence  of  Q2. 

Thus,  we  have 

\h\-cj  <  N  -(cf  +  ce) 
which  simplifies  to 

\b\  <  N  -  ce. 

Since  ce  is  a  semaphore  variable  we  have  ce  >  0  which  gives 

»  n(|6|  <  /v). 

Thus  we  conclude  tliat  property  (3), 

N  1=1(0  <  \b\  <  /V), 


holds. 
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Comments 


•  Modifying  the  program 

The  need  for  the  auxiliary  invariants  Q+  and  Q5  resulted  from  the  splitting  of  the  statements 
concerning  b  into  several  statements  according  to  the  single- access  rule. 

Having  first  established  the  mutual  exclusion  of  the  regions  L  =  {^3,^1,  £5}  and  M  = 
{m2,  . ..  ,77*5}  we  can  observe  that  b  is  not  really  a  shared  variable,  in  that  only  one  process  at 
a  time  can  access  it.  Correspondingly,  we  could  translorm  the  program,  after  having  established 
exclusion,  by  replacing 

£3  :  U  *=  boy{ 

£\  :  6  :=  t\ 

by 

*3  :  b:=boy{ 

and 

tt*2  :  2/2  •=  head(b) 
m3  :  t‘2  :=  tail(b) 

77*4  :  b  :=  <2 

by 

77*2  :  (7/2 ,b)  :=  ( head(b ),  tail(b)). 

This  would  greatly  simplify  the  subsequent  analysis  by  making  Q 3  directly  verifiable  without  using 
Qi  and  Q$. 

•  Using  virtual  variables 

Instead  of  introducing  the  auxiliary  invariants  Q\y  Q 5  it  is  possible  to  define  a  virtual  variable 
b*  by: 

b*  =  if  atti  then  t\  else  (if  <Um4  then  t%  else  b) 
and  then  directly  prove  a  modified  version  of  Q 3: 

Q 3:  cf  +  att 4. .6  -f-fllmu  —  \b*\. 

The  variable  b*  represents  the  intended  value  of  6,  where  we  use  £t  (t  =  1,2)  instead  of  b  if  6  is 
about  to  be  changed  to  t{.  (localise  we  are  focusing  our  attention  on  the  value  as  soon  as  it  is 
obtained,  we  have  modified  Q3  by  extending  the  region  {fs,^}  Into  {£4,  £5^6}  and  contracting 
{mi,7n2(77i3,m4}  into  {77*1,77*2,7713}. 

A  SYSTEMATIC  SEARCH  FOR  LINEAR  INVARIANTS 


In  order  to  dispel  the  illusion  of  “magically”  drawing  the  invariants  Q\ ,  Q2,  Q 3  out  Hun 
air,  let  us  describe  a  method  for  a  systematic  search  for  such  invariants.  (See  also  [FRA],  [CIA].) 
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An  invariant  of  the  form  discussed  here  is  cQmposed  of  three  parts,  such  that  the  sum  of  the 
first  two  is  equal  to  the  third.  We  represent  such  an  invariant  by: 

(B  +  Z)  =  C. 

(a)  B  is  the  body  of  the  invariant  and  is  a  linear  expression  in  the  semaphore  variables  and 
other  variables  which  are  incremented  by  constants  (linearly)  during  cycles  in  the  program. 

(A)  Z  is  a  sum  of  expressions  of  the  form  i ry  E  />  for  some  region  L  C  Lj  and  will  be  called  a 
compensation  expression. 

(c)  C  is  a  constant. 

We  start  constructing  such  an  invariant  by  finding  an  appropriate  body. 

(a)  In  the  body  we  look  for  a  linear  combination  of  variables  E  =  53  a»2/»  such  that  Idle  net 
change  in  each  cycle  of  each  process  is  0.  Obviously,  we  restrict  ourselves  to  cyclic  programs,  i.e.t 
non-terminating  programs,  in  which  each  process  eventually  returns  to  its  initial  location  and  to 
variables  whose  change  along  a  cycle  is  constant  and  independent  of  the  program  flow.  Semaphore 
variables  usually  have  this  property. 

Let  us  denote  for  these  variables  the  net  change  in  yx  resulting  from  a  full  cycle  in  process  Pj 
by  A^.  Then  our  combination  E  =  53ai2/t  should  satisfy 

A  *E  =  Ha* =  0 

for  j,  0  <  j  <  m.  That  is,  we  require  that  the  value  of  the  expression  remains  unchanged  as  a 
result  of  a  complete  cycle  of  each  of  the  processes. 

In  our  con  umcr-produeer  example  all  our  variables  are  linearly  incremented  and  we  have  the 
following  table: 

Aj  =  0  A2  =  0 

Al'fc|  =  1  Affc|  =  -l 
AJ,  =  I  A2,  =  -l 
Aie  =  -1  A*e  =  l. 

We  look  for  a  combination 

E  =  <i\  •  s  +  a?  •  \b\  4*  «3  •  cf  +  a*  •  ce 
such  that  53  a,  A^  =  0  for  j  =  1,2.  This  yields  the  set  of  equations 

a  i  •  0  +  «2  4  «3  —  =  0 

oi  •  0  -  at  -  a3  4  aA  =  0. 

We  will  be  interested  in  a  nontrivial  set  or  independent  solutions  to  these  equations. 
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In  this  case  the  equations  possess  three  degrees  of  freedom,  and  hence  three  linearly  indepen¬ 
dent  solutions  arc  possible.  The  exact  choice  is  irrelevant  and  we  pick  the  following: 

1.  Cl\  =  1  <X2  =  =  04  =  0 

2.  a3  =  <*4  =  1  a\  =  a<i  =  0 

3.  a2  =  a*  =  1  ai  =  03  =  0. 

Thus  for  the  following  independent  linear  combinations,  the  net  change  in  each  cycle  of  each  process 
is  0: 

B\  :  s 

B*i  :  cf  +  ce 

/i3  :  \f>\  +  ce. 

Note  that  B\  and  B2  correspond  to  the  bodies  of  Q\  and  Q2  respectively,  while  is  a  different 
invariant  which  will  enable  us  to  derive  the  same  conclusion  as  the  combination  of  Q 2  and  Q%.  For 
the  choice  =  a*  =  0,  a2  =  —l  and  a3  =  1,  we  could  get  B^  :  cf  —  |b|  which  corresponds  to 
Qs  itself. 

(6)  Having  a  body  /?,  to  derive  the  right-hand  side  C  or  the  invariant,  we  only  have  to  substitute 
the  initial  values  implied  by  <p(^)  into  the  body.  Doing  this  for  our  three  invariants  we  obtain: 

Ci  :  1 

C2 :  N 
C3:  N. 

(c)  Next,  we  determine  the  compensation  expressions.  Consider  a  given  C  and  B(y)  and  a  process 
Pj  with  locations  {£0,  •  •  *  ,  £«}•  Since  we  assume  cycling,  is  not  a  terminal  location  but  branches 
back  to  /o-  »y  0,ir  assumption,  the  changes  in  B(y)  can  be  traced  and  are  constant.  Denote  by 
//i(y)  the  value  of  B  at  location  i  =  0,  1,  ...  e  in  the  process,  and  let 

Then  the  compensating  expression  for  process  Pj  is  given  by 

e 

•(«**)• 

»— 0 

For  example,  to  evaluate  6+  for  B\  =  n  in  P\  above  we  have  to  compute: 

8laf£o  ” 

Assuming  that  P\  is  operating  alone,  (which  is  the  basic  assumption  in  the  computation  of  the  6%,) 
wc  take  the  difference  between  the  value  of  s  at  li  and  its  initial  value  at  f0.  Thus,  we  have 


i 


since  when  P\  is  being  executed  alone  the  value  of  s  at  locations  Iq}  t\y  l2y  £7  is  equal  to  the 
value  of  s  at  /q,  t.e.,  a  =  i.  Moreover, 

£3  =  £4  =  £5  =  1; 

since  when  P\  is  executing  alone,  the  value  of  s  at  locations  £3,  l\ ,  £5  is  smaller  by  l  than  the  value 
of  s  at  fp.  Hence,  the  compensation  expression  for  the  body  s  in  I\  is 

Z\  =  atls  4-  ati 4  4-  atl5> 

Computing  the  compensation  expression  Zj  for  the  body  /?  for  each  process  Pj  we  form  the 
full  invariant: 

m 

=  c. 

i=i 

For  the  three  bodies  we  considered,  we  obtain  the  following  three  invariants: 


h  : 

s+al4.5  4- a^m2..5  =  1 

h  : 

cf  4  cc  4  a^2..6  +  afmt..e  = 

N 

h  : 

|6|  4  cc  4  at t't.A  +  atrri5t8  = 

N. 

Note  that  Q 3  can  be  obtained  by  forming  the  difference  I2  — 

This  method  of  deriving  invariants  has  the  advantage  that  no  further  proof  is  needed;  indeed, 
any  invariant  derived  by  the  method  is  automatically  a  true  invariant  of  the  program.  Hut  it 
may  'mly  be  applied  to  variables  which  are  modified  by  a  constant  in  atomic  instructions,  or  to 
programs  which  can  be  transformed  so  as  to  satisfy  this  restriction. 

KXAMFUC:  BINOMIAL  COKFFICIHNT 

Consider  next  the  program  BC  ([Ml *2])  for  the  distributed  computation  of  the  binomial 
coefficient  (£)  for  input  parameters  n  >  k  >  0. 

Program  HC\  (Binomial  Coefficient  first  version) 


y  1 

:=  n,  j/2  :=  0,  j/3  := 

i, 

2/4  :=  l 

£0  '■ 

1/1/1  =  (n  —  £)  then  go  to  tt 

m0  : 

if  2/2  =r  go 

t\  : 

rcqucHt(y 4) 

mi 

2/2  :=  2/2  +  1 

t  -i  : 

<1  :=  y. t  •  y\ 

m2 

/oop  unit/  t/i  4  ?/2 

t»  : 

V.\  :=  <1 

ma 

r<7/wc.s/(y4) 

ti  : 

rrlcanc(yi) 

m* 

•  *4  •=  2/3 / 1/2 

£b  ■ 

V\  V\  ~  1 

m5 

•  y:t  :=  *2 

to  ■ 

go  to  to 

m6 

rclcanc(yi) 

halt 

rri7 

go  to  mo 

m€  : 

halt 

P\  P2 
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The  task  of  computing  the  binomial  coefficient 


/n\  _  n  •  (n  -  l) . (n  -  k  +  l) 

W  “  |  .  2  •  *  *  He 


is  distributed  between  the  two  processes  by  having  P\  perform  all  the  multiplications  while  P2  is 
in  charge  of  the  divisions,  'flic  values  of  yj,  i.e.,  n,  n  —  1,  .  .  .  ,  n  —  k  +  lt  are  used  to  compute 
the  numerator  in  P\  (the  last  value  of  y\t  n  —  k,  is  not  used),  and  the  values  of  y:>,  i.e.t  1,2,  .  .  .  , 
kt  are  used  to  compute  the  denominator  (the  first  value  of  y2t0,  is  not  used).  The  two  processes 
must  synchronize  in  order  that  the  accumulated  product  be  evenly  divisible  by  the  divisors  used 
at  by  f\ •  This  synchronization  realized  by  the  waiting  loop  at  which  essi  ntially  ensures 
that  execution  will  proceed  to  mj  only  when  at  least  y2  factors  have  been  multiplied  into  y$. 
We  rely  here  on  the  mathematical  theorem  that  the  product,  of  t  consecutive  positive  integers: 

*•(*  + 1) . (*  +  i  —  1 )  is  always  divisible  by  i!.  I'or,  consider  the  intermediate  expression  at 

mj: 


2/3 


1  •  2  • 


(n->  +  1) 

•(*->]  ’ 


where  l  <  i  <  j  <  n,  y\  =  n  —  j  and  y2  =  *  The  numerator  consists  of  a  multiplication  of  t 
consecutive  positive  integers  and  it  is  therefore  divisible  by  t.  If  j  —  i,  we  have  to  wait  unlit  y \ 
is  decremented  by  tin*  instruction  in  from  n  —  i  +  1  to  n  —  i  before  wo  can  be  absolutely  Mire 
that  (n  —  t  +  1)  has  been  multiplied  into  ya.  Thus,  Process  /* 2  waits  at  m2  until  y \  +  y2  drops  to 
a  value  less  than  or  equal  to  n. 


The  critical  sections  L  =  {A*>^3>^i}  ami  M  —  {m*,  tn$9  tnti },  protected  l>>  tin*  semaphore 
variable  y*,  ensure  exclusive  access  to  the  shared  variable  yk\.  Note  that  this  program  satisfies  the 
single  critical  access  rule  (|MP2|)  since  for  example  in  the  expression  y\  +  y2  appearing  at  m2  only 
y  1  is  critically  accessed. 


The  invariant 


/o  :  &t?2  4  +  atnii  6  -f  y4  =  I 

ensures  the  mutual  exclusion  of  the  critical  sections.  It  is  verifiable  by  the  invariance  principle  in 
the  usual  way. 

Once  this  exclusion  is  established  we  can  transform  this  program  to  a  simpler  program  P('2 
such  that  there  is  a  faithful  correspondence  between  executions  of  H('\  and  executions  of  li(  ’2 
This  implies  that  the  correctness  of  H('\  will  follow  from  that  of  /f(  V 

Program  UC2  (Binomial  Coefficient  second  version) 


Vi  •=  n»  V'i  :=  0, 

V.i  “ 

1 

'0 

t/yj  —  (n  -  k)  then  go  to  f€ 

m0  : 

if  y2  k  then  go  to  tne 

V:\  “  V.i  •  Vi 

m,  : 

V  -2  ~  V  -2  +  I 

Vi  —  Vi  “  1 

m-2  : 

loop  until  y  1  +  j/2  S  n 

h 

go  to  <0 

m3  : 

V.\  y.\IV3 

t. 

halt 

rru  ' 

go  to  m<) 

me  : 

halt 
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Next  we  introduce  two  virtual  variables: 


y*  =  if  atl-i  then  y \  —  t  else  y\ 
y*  ~  if  atrn-2'j  then  y2  —  1  else  y2. 


The  need  for  the  virtual  variables  is  similar  to  that  of  the  compensation  expressions  discussed 
above.  The  main  invariant  on  which  the  correctness  of  the  program  is  based  is  /3  below 

y3  =  [n  •  (n  -  1)  •  ■  •  (yj1  +  l)j  /  [1  •  2  •  • 

which  ties  together  y i,  y2  suit!  y3  (or  their  virtual  versions).  It  is  invariant  in  the  sense  that  it 
is  preserved  after  y\f  y2  and  y3  has  each  been  properly  updated.  However  since  the  updating  of 
Vi  and  y3  in  /* |  for  example  cannot  occur  simultaneously,  we  define  y*  which  is  the  anticipated 
updated  value  of  y\  as  soon  as  y3  is  updated  at  t\.  Similarly,  y£  dilTers  from  y2  between  the 
updating  of  y2  and  the  updating  of  y3  in  /  2. 

We  use  the'  following  invariants: 

/ 1  :  \(n  —  k  atf l<2)  <  y\  <  n\  A  [0  <  y2  <  (k  -  atmi)] 

h  :  D  ( J/ 1  +  y2)  <  n 

/a:  Ua  =  [n  •  (n  -  I)  •  •  •  (yj  +  l)|  /  (I  ■  2  •  •  •  yj] 

In  /3>  the  product  of  a  zero  number  of  terms  evaluates  to  I. 

The  initiality  of  f\  to  /3  is  easily  verifiable. 

The  two  parts  of  /j  can  be  verified  separately  by  considering  the  transitions  fo  ^i,  ^2  £3 

and  mo  — *  mi,  rn  \  — ►  m2  respectively. 

To  verify  / 2  we  observe  that  on  entering  m3,  yj  +  y2  <  n  holds  true.  Any  possible  transition 
while  /  2  is  at  ?rtA  can  only  decrease  the  value  of  yi  +  y2. 

Consider  now  the  verification  of  /3 .  The  only  relevant  transitions  are  f,  — ♦  /2  and  m3  — ►  1714, 
Denoting  the  values  of  the  variables  after  the  transition  hy  y*\  y.*\  respectively,  we  obtain  for 

<1 


Vs  -  |n  •  («  -  I)  •  •  •  (y*t  +  l)|  /  (I  •  2  •  •  ■  yj) 

=»  X/a  i/i  —  («  («  -  I)  •  •  (i/J  4  I)  ■  »*|  /  (I  •  2  • - '  tfal 

=»  2/3  =  (n  (n-  I)  •  •  •(»*'+  1)1  /  (I  - 

Similarly  for  the  m3  -♦  m.(  transition: 

v.\  ---  !?»•(«-!)•  ••(»*  +  1)1  /  (i  •  i/JI 

=*  2/3  /  2/3  -  («  •  ("  I)  •  •  •  (i/7  +  I))  /  (I  •  2  •  •  •  (yj  +  I )) 


as  at  t\,yi  —  y* 


as  at  m3,y2  =  y2  +  1 


=»  y'3  =  !»•(»- !)•••(»* +  1)| /(I -2  •••*5'). 


The  even  divisibility  of  2/3  by  j/2  at  m3  is  ensured  by  the  fact  that  by  Lj>  we  have  that 


V*  <  l/i  <  n-y2. 


Thus  the  number  of  consecutive  factors  in  the  numerator  of  y3  is  at  least  y2  which  is  evenly  divisible 
by  y2\ 


PROVING  EVENTUALITIES 


Here  wc  will  consider  general  methodologies  for  proving  properties  of  the  form 
*  PdOQ. 

Many  of  the  cases  that  we  will  study  focus  on  a  special  kind  of  eventualities  called  accessibility 
statement.  Its  characteristic  form  is 

at l  3  O  at? 

guaranteeing  that  being  at  t  we  will  eventually  reach  P .  In  more  general  form  it  can  appear  as: 

(at l  A<f>)  D  0(at£*  A  <f/), 

where  wc  associate  a  procondition  0  with  the  visit  at  f  and  a  post-condition  0'  with  the  visit 
at  P.  The  Intermittent-Assertion  Method  (see  [IMJR],  [MW])  uses  this  implication  as  the  basic 
statement  for  reasoning.  Many  useful  eventuality  properties  are  representable  in  t  his  form.  In  this 
discussion  we  assume  that  l  and  P  belong  to  the  same  process.  Jt  is  however  possible  to  consider 
generalizations  in  which  this  assumption  may  be  relaxed. 

Our  approach  for  proving  eventuality  properties,  called  proof  by  eventuality  chainSy  is  based 
on  establishing  a  chain  of  eventualities  that  by  transitivity  leads  to  the  ultimate  establishing  of 
the  desired  goal  (sec  also  (OLJ).  The  main  transitivity  argument  used  here  is: 

I*  0i  D  O  02  ftud  <j>2  3  O 03  =>  N  <f>i  D  0^3. 


Some  common  techniques  that  we  use  in  our  proofs  are: 

•  Wc  split  a  situation  into  several  subcases  and  pursue  each  case  to  its  conclusion. 

•  To  establish  implications  of  the  form 

»  (3M(ifc))D  0<t>' 

wc  use  induction 

N  0(0)  D  0'  and  ^  Vn.[0(n)  D  O(0(n  —  1 ) V 0/))  =*  N  (3fr.0(fc))  D  O0L 
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•  Wc  frequently  establish  £  0  3  O  ft  by  contradiction:  we  assume  <f>  A  □  and  pursue  the 
consequences  of  this  assumption.  If  we  succeed  in  showing 

^  [4>  A  □  ~ 4>f]  D  false, 

then  we  will  have  established  our  desired  result.  This  technique  is  particularly  useful  in 
the  verification  of  a  statement  of  the  form 

ati  D  0~atl 

in  concurrent  systems.  The  reason  for  that  is  that  by  assuming  □  ati  we  are  momentarily 
(for  the  duration  of  the  analysis)  halting  one  of  the  processes  at  i  and  have  only  to 
analyze  the  possible  movements  of  the  other  processes.  Th's  usually  results  in  a  significant 
simplification. 

We  start  by  presenting  an  example  with  an  informal  proof  of  its  correctness  relative  to 
accessibility. 


EXAMPLE:  MUTUAL  EXCLUSION  hiili)  INFORMAL  PROOFS 


As  a  first  example,  consider  the  solution  to  the  mutual  exclusion  problem  that  was  first  given 
by  Dekker  and  described  in  ([1)1,1]).  Here,  we  assume  a  shared  variable  t  that  may  be  modified 
by  both  processes  and  two  private  boolean  variables  y\  and  y2}  each  being  set  only  by  its  owning 
process  but  may  be  examined  by  the  other. 

Program  DK  ( Mutual  Exclusion  -  Dekker’s  Solution): 

t:=  L  y\  :=  V2  2=  F 


4 

:  execute 

m0  : 

execute 

4 

7/1  :=  T 

m\  : 

fit 

2/2  2=  / 

4 

:  *7(2/2  =  7  )  then  go  to  £ 7 

m2  : 

if  (j/i  =  F)  then  go  to  my 

4 

if(t  =  1)  then  go  to  £2 

m3  : 

if(t  =  2)  then  go  to  rn2 

4 

y\  :=  F 

m.4  • 

3/2  :=  F 

4 

loop  until  (t 

=  >) 

rn5  : 

loop  until  (£  =  2) 

4 

go  to  i 1 

niQ  : 

go  to  m  1 

[4 

:  t  :=  2 

niy  : 

t~  1 

4 

:  y\  F 

m8  : 

V 2  •=  F 

4 

go  to  4 

my  : 

go  to  m0 

— 

l\  - 

—  l\ 

— 

The  variable  y\  in  process  I\  (and  7/2  for  P2  respectively)  is  set  to  T  at  i\  to  signal  the  intention 
of  P 1  to  enter  its  critical  section  at  £7.  Next  t\  tests  at  £ 2  if  / 2  has  any  interest  in  entering  its 
own  critical  section.  This  is  tested  by  checking  if  y 2  —  T.  If  y2  =  F,  l\  proceeds  immediately  to 
its  critical  section.  If  y2  =  T  we  have  a'compctition  between  the  two  processes  on  the  access  right 
to  their  critical  sections.  This  competition  is  resolved  by  using  the  variable  t  (turn)  that  has  the 
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value  l  if  in  case  of  conflict  P\  has  the  higher  priority  and  the  value  2  if  P2  has  the  higher  priority. 
If  P{  finds  that  t  =1  it  knows  it  is  its  turn  to  insist  and  it  leaves  y  1  on  and  just  loops  between  £2 
and  £3  waiting  for  y 2  to  drop  to  F.  If  it  finds  that  ^  =  2  it  realizes  it  should  yield  to  the  other  and 
consequently  it  turns  y\  off  and  enters  a  loop  at  £5,  waiting  for  t  to  change  to  1.  It  knows  that  as 
soon  as  exits  its  critical  section  it  will  set  t  to  1  so  it  will  not  be  waiting  forever.  Once  t  has 
been  detected  to  be  1,  Pi  returns  to  the  active  competition  at  f2* 

We  will  proceed  to  prove  for  this  program  both  mutual  exclusion  and  accessiblity.  They 
are  complementary  properties  in  this  case.  The  first  assures  that  the  two  processes  cannot  simul¬ 
taneously  enter  their  respective  critical  sections.  The  second  assures  that  once  a  process  wishes  to 
enter  its  critical  section  it  will  eventually  get  there. 

Mutual  exclusion 

To  prove  mutual  exclusion  we  show  the  joint  invariance  of  the  following  three  assertions: 


Qi  : 

(Vi=T)  = 

at{£ 2,  £4,  tit  4} 

III 

c-* 

II 

CNJ 

3 

a^{rri2 ,  m3,  m^m7tm8} 

Q3: 

—  at{£7f£g} 

V  — a£{m7,m8}. 

That  is, 

M  D(QiAQ2AQ3), 

where  the  initial  condition  is  given  by 

ati 0  A  atrriQ  A  (1=1)  A  (s/i  =  t/2  =  *’). 

The  inductiveness  of  the  first  two  assertions  is  easily  checked  by  considering  the  different 
transitions  in  each  of  the  processes.  They  certainly  hold  initially. 

To  show  the  invariance  of  Q 3  which  is  the  statement  of  mutual  exclusion  consider  the  possible 
transitions  that  could  potentially  falsify  this  assertion. 

One  such  transition  is  £2  — ►  £7  while  at{m7}m$},  However  by  ,  af{7n7,  m8}  implies  y2  =  T 
so  that  the  transition  £2  £7  is  disabled.  Similarly  for  the  transition  m 2  — ►  m7  while  ai { /y ,  } • 

Accessibility 

Accessibility  in  this  program  is  given  for  P\  (the  case  for  /  2  is  similar)  by 
N  at  £  1  3  O  at  £7. 

The  process  P\  signals  its  wish  to  enter  the  critical  section  by  moving  from  to  l\.  We  then 
would  like  to  prove  that  it  eventually  reaches  the  critical  section  at  £7. 


In  analyzing  this  program  we  have  to  interpret  the  execute  instructions  at  to  and  mo  as  a 
non-critical  section*  Consequently  we  cannot  assume  that  being  at  lQ  we  will  eventually  get  to  t\. 
Hence  the  transition  graph  representation  of  the  execute  instruction  at  Iq  (and  similarly  at  mo) 
should  be  represented  as: 


That  is,  there  is  a  nondeterministic  choice  between  staying  at  £q  and  proceeding  to  t%. 

We  will  proceed  to  prove 

Theorem :  N  att\  3  O  at  If. 

Here  we  will  present  an  informal  proof  of  the  statement,  followed  by  the  justification  of  some 
of  the  steps  used  in  the  proof.  Motivated  by  recurrent  patterns  in  the  informal  proof  we  will  then 
introduce  proof  principles  that  could  be  used  to  construct  a  formal  version  of  the  same  proof. 

The  proof  of  the  theorem  consists  of  a  sequence  of  lemmas. 

Lemma  A:  N  [att$  A  (£  =  1)]  3  O  att7 

Proof  of  Lemma  A: 

Assume  to  the  contrary  that  P\  never  takes  the  t<i  — ►  t7  transition;  then  henceforth 
C\[(atf-2  V  attj)  A  (*  =  1)] 

since  the  only  instruction  assigning  to  i  a  value  different  from  l  is  at  t7  and  as  long  as  t  =  l  and 
the  transition  —»  f7  is  not  taken,  l\  is  restricted  to  {^2^3}- 

Under  this  invariance  assumption  at{l2}t\\)  A  (<  =  I),  let  us  check  the  locations  of  P2. 

case  a:  l\  is  at  rnrt.  Then  z/2  =  F  and  will  stay  so.  Ry  fairness  l\  must  eventually  get  to  1 2 
and  in  the  next  transition  out  of  t<i  must  go  to  t7  (y2  being  Thus 

£  atm 5  3  O  atl7. 

case  b:  is  at  m*.  Then  by  the  fairness  requirement  it  will  eventually  reach  mg  so  that  by 

case  a 

E  atmj\  3  O  at  t7. 

case  c:  l\  is  at  m3.  Then  in  the  next  transition  out  of  m3,  t  is  still  (  so  the  m<\  branch  must 
be  taken.  Consequently  by  case  b 

N  at  m3  3  <C>  at  t7. 

case  d:  /2  is  at  m2.  Then  since,  by  Q j,  (nff2  V  0^3)  O  l/i  =  T,  and  since  we  assumed  that 
P\  is  restricted  to  {^2,At},  the  next  transition  of  /  2  will  take  us  to  m3.  Thus  by  case  c 
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also  have 


|b  atrri2  3  O  0^7. 

case  e :  P2  is  at  rrij.  Then  obviously  eventually  P2  will  reach  m2  so  that  by  case  d  we  have 
£  aJmi  3  O  at £7. 

case  /:  P2  is  at  mg.  Then  eventually  P 2  will  get  to  mh  so  by  case  e 
N  aim6  3  O  atl7. 

case  g:  P2  is  at  mo-  Then  either  it  will  stay  in  mo  forever  or  eventually  exit  to  mj.  In  the 
case  that  it  stays  in  m0  forever  we  have  by  Q 2,  111(2/2  =  P)*  Thus  in  the  next  transition 
out  of  £2  wc  must  proceed  to  £7.  Otherwise  P2  will  eventually  get  to  mi  which  by  case  / 
leads  again  to  ati7.  Thus  in  any  case 

N  atm 0  3  O  at  t7. 

case  h:  Obviously  by  fairness 

£  ( atrn7  V  tfJm#  V  atmg)  3  O  atmQl 

so  that  by  case  {7,  any  of  these  cases  also  loads  to  the  eventual  realization  of  at l7. 

Thus  by  analyzing  all  the  possible  values  of  7r2  in  P2  we  showed  that  at  l 7  is  eventually  realized 
in  any  of  them.  Consequently  wc  have  that 

N  [atl*  A  (*  =  1)1  3  Oatt7. 

which  is  the  desired  result  of  Lemma  A.  | 

Lemma  B:  ¥  [at{t^}  . . . ,  /6}  A  (t  =  2)]  3  —  af{m8,  m9,  rn0} 

Proof  of  Lemma  B\ 

Consider  first  the  invariance  of  the  following  statement: 

Qa  :  (t  =  2)  3  —  a*m8. 

The  transitions  which  may  possibly  falsify  this  statement  arc: 

•  t7  while  P2  is  at  m8.  However,  due  to  Q$,  atl7  A  atm$  is  an  impossible  situation. 

•  7717  — ►  m8  while  t  =  2,  but  the  transition  sets  t  =  1,  so  that  Q4  does  hold  after  the 

transition. 

Having  established  W  DC?*  we  proceed  to  establish  U  □  where 
Qs  :  [«*p3,  A  (t  =  2)J  3  ~af{m9,m0}. 
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Let  us  investigate  the  transitions  that  could  possibly  falsify  Q5.  The  relevant  transitions  are: 

•  £2  — ►  £3  while  at{m9fmu}.  However  by  Q2,  ai{rri9,mo}  implies  that  y2  =  F  which  disables 

this  transition. 

•  mg  — ►  mo  while  t  =  2.  However  in  view  of  Q4  the  situation  (t  =  2)  A  atm%  is  impossible  so 

that  the  transition  is  also  impossible. 

Taking  the  conjunction  of  Q\  and  Q5  we  can  infer  the  result  of  Lemma  B.  | 

Lemma  C:  £  at  £5'  3  O  att7. 

Proof  of  Lemma  C : 

If  we  arc  at  £5  there  are  two  possibilities.  ICithcr  wo  will  eventually  get  to  £g  with  t  =  1  or  we 
will  stay  forever  in  £5  with  t  =  2  continuously. 

In  the  first  case  we  proceed  to  i\  and  reach  £2.  There  we  either  enter  £7  immediately  or  get 
to  £3  with  t  =  1.  The  value  of  t  will  not  change  on  the  way  since  the  only  possible  change  of  t 
from  1  to  2  is  performed  by  }\  at  £7  — ►  iH.  By  lemma  A,  being  at  £3  with  t  =  l  ultimately  leads 
to  £7. 

The  other  case  is  in  which  □(£  =5  2  A  af£5).  By  lemma  ft  we  have  that  □(~ai{mg,  m9jmo}). 
Since  at  £5  is  permanently  true  so  will  be  y\  =  F  by  Q\. 

Consider  now  all  the  possible  locations  of  ix2  in  / 2  excluding  mg,  m#,  and  mo: 

atm7  will  eventually  lead  us  to  and  turn  t  to  1. 

atm2  will  lead  us  to  m7  since  y\  =  F  and  then  to  mg. 

at ma  will  load  us  to  m2  since  t  =  2. 

at mi  leads  to  m2. 

atm6  leads  to  mj. 

atm5  will  eventually  lead  to  m#,  having  t  =  2. 
atm, |  leads  to  ms- 

Consequently  all  the  locations  in  / 2  eventually  cause  t  to  turn  to  l  and  /*j  will  eventually  get 
out  of  £5  and  proceed  to  £3  with  1=1.  Lemma  A  then  establishes  the  desired  result.  | 

We  are  ready  now  to  prove  the  desired  accessibility  theorem,  that  N  at(\  3  O  at  l7. 

Proof  of  Theorem: 

Proceed  with  f\  from  £|  to  £2.  There  we  either  immediately  enter  £7  or  arrive  at  £3.  Consider 
the  next  instant  in  which  l\  is  scheduled.  If  t  =  I  we  are  assured  by  lemma  A  that  we  will 
ultimately  got  to  £7.  If  t  =.  2  wo  proceed  to  £3  and  £ 5  from  which  we  are  assured  by  lemma  C  of 
eventually  getting  to  £7.  Thus  we  will  get  to  £7  in  all  cases.  | 
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PROOF  PRINCIPLES  FOR  EVENTUALITIES 


In  order  to  present  proofs  such  as  the  above  in  a  more  rigorous  perhaps  even  machine 
checkable  style,  we  proceed  to  develop  several  proof  principles.  These  will  enable  us  to  establish 
the  basic  accessibility  steps  ensuring  the  eventual  passage  from  a  location  to  its  successor  under 
the  assumption  of  fairness. 

All  predicates  below  are  “state  predicates”  expressed  by  classical  formulas,  and  will  generally 
depend  on  the  location  variables  n  as  well  as  or)  the  program  variables  y. 

A  predicate  <j>  —  <t>{^\y)  is  said  to  be  y-mvan’onf,  where  \  =  x(tt;I7),  if  for  every  transition 


Iff  :=  /(ff)l  TX 

— ^-^9 


the  following  formula  holds: 


[ate  A  c(y)  A  x[^\v)  A  x(r(7r)i  /(ff))  A  <£(*;  y)]  D  </>(r(7f);  f(y)). 

That  is,  <j>  is  preserved  by  any  transition  which  preserves  x- 

In  all  the  following  we  will  use  Dy  to  denote  that  x  an  invariant  externally  given  and 
guaranteed  to  bo  continuously  true.  It  will  be  useful  in  conducting  conditional  proofs. 


The  Escape  Principle  for  Single  Location 

Consider  a  location  t  in  process  Pr  I  vet  L  =  {oq,  .  .  .  ,a^}  be  a  set  of  transitions  originating 
in  t.  Let  f1,  be  the  locations  to  which  the  transitions  at\9  .  .  .  ,a*  lead  and  c i,  .  .  .  ,  ot  the 

enabling  conditions  associated  with  a\9  ...  ,(ik>  respectively.  YVe  do  not  require  tliat  >v  be  the  set 
of  all  transitions  originating  in  £. 


We  require  that  location  t  he  deterministic ,  that  is,  the  conditions  c  and  c'  on  any  two  distinct 
transitions  a  and  ct  (not  necessarily  in  L)  originating  in  £  must  be  disjoint,  i.e.  —  cV  ~  r'.  In  all 
the  programs  that  we  will  study  all  locations  would  be  deterministic  except  for  those  that  contain 
an  execute  instruction.  YVe  will  never  apply  the  escape  rule  to  these  locations. 


The  Rule  of  Escape  (ESC): 


Let  0,  X)  and  0  be  predicates  such  that: 


A:  0  is  (att  A  x)-invariant. 

This  means  that  as  long  as  we  stay  at  t  and  x  ,s  preserved,  so  is  0. 

B:  Any  of  the  f*t,  i  =  1,  . .  .  ,  kf  transitions  of  D  that  preserves  x  and  is  initiated  with 
0  true,  achieves  0,  i.e.f  0  will  hold  after  the  transition.  This  is  expressed  by 

[at l  A  Ci(y)  A  <j)(n;y)  A  x(*\v)  A  x(r,(iF);  MV))\  D  Hrd^y>MV)) 


for  every  i  —  1,  .  .  .  ,  k. 


C: 


0  A  x  at  t  ensures  that  at  least  one  ct,  i  =  1,  is  true  (the  transition  is 

enabled),  i.e., 

k 

[ate  A  <f>(W-,y)  A  x(^r;  3/)I  ^  V  c‘^’ 

*=1 


Then  under  these  three  conditions  we  may  conclude 


N  [atl  A  0  A  □  x]  ^  O  0. 

That  is,  being  at  ^  with  0  true  and  being  assured  of  the  continuous  holding  of  x 
guarantees  eventual  realization  of  0. 


To  justify  the  principle  consider  an  execution  which  starts  at  t  with  0  true  and  continuous 
assurance  of  x-  Hy  condition  A  as  long  as  Pj  is  not  scheduled  we  remain  at  i  with  0  A  X  true. 
By  condition  C  this  implies  that  all  that  time  Vf=i  c\  ,s  also  continuously  true.  Therefore  by 
fairness  eventually  Pj  must  be  scheduled  in  a  state  in  which  0,  x»  Vi=r|  c\  all  hold.  Consequently 
by  determinism  of  t  one  of  the  a,  £  L'  transitions  must  be  taken  and  by  condition  B,  0  must  be 
realized. 

There  are  some  variations  and  generalizations  of  this  basic  principle  which  are  discussed  next. 


The  Rule  of  Alernatives  for  Regions 


The  first  generalization  considers  exits  out  of  a  region  (set  of  locations)  rather  than  a  single 
location.  This  principle  applies  also  to  nondetcrrninistic  locations. 

Let  L  C  Lj  be  a  set  of  locations  in  the  process  Pj  and  H  =  {au  ...,<**}  the  set  of  all 
transitions  originating  in  L  and  leading  to  locations  i\  .  . .  ,tk  outside  of  />,  t.c.,  P  £  L. 


The  Rule  of  Alternatives  (ALT): 

Let  0,  x,  0  be  predicates  such  that: 


A:  0  is  (at  L  A  x)  invariant. 

This  means  that  as  long  as  we  stay  in  L  and  x  is  preserved  so  is  0. 


13:  Any  of  the  =  1,  .  .  .  ,  k,  transitions  of  that  preserves  x  and  is  initiated  will 

<f>  true,  achieves  0,  i.e.,  0  will  hold  after  the  transition.  This  is  expressed  by: 


[at  I,  A  r\(2/)  A  y)  A  x[*\v)  A  x(a(w);  /,(?/))]  3  ^(r<(?r);  /»(2/)) 
for  every  i  =  1,  .  .  .  ,  fc. 

Then  under  these  conditions  wc  may  conclude: 

£  [a£/>  A  0  A  Ox]  ^  [□(flf/>A0)  V  O  0]. 


That  is,  being  initially  in  L  with  0  true  and  being  assured  of  the  continuous  holding  of 
X  guarantees  that  we  have  two  alternatives:  cither  we  stay  in  L  with  0  permanently 
true,  or  achieve  0. 


Note  that  since  we  do  not  have  any  condition  similar  to  C  above  that  guarantees  the  eventual 
realization  of  0,  we  must  also  consider  the  possibility  of  remaining  in  L  and  satisfying  0  forever. 


To  justify  the  principle,  consider  an  execution  which  starts  in  L  with  0  true  and  continuous 
assurance  of  x-  By  condition  A  as  long  as  we  stay  in  L,  0  will  remain  true.  By  condition  B  once 
we  take  any  of  the  transitions  in  this  situation  0  will  he  realized.  Hence  the  conclusion  follows. 


Note  that  the  ALT  rule  can  be  applied  to  a  region  consisting  of  a  single  location.  Thus  for  an 
execute  instruction: 


true  — ►  [  ] 


«  2 


true 


l) 


«i 
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we  may  take  L  =  {£}  and  £  =  {aq}  to  obtain 


N  att  3  [Hatl  V  Oatt'\. 


The  Semaphore  Rule 


Rule  HSC  above  is  adequate  for  dealing  with  locations  for  which  the  disjunction  of  all  their 
exit  conditions  (on  all  the  outgoing  transitions)  is  identically  true.  A  location  which  does  not 
satisfy  this  requirement  is  called  a  semaphore  location  since  in  a  semaphore  request  instruction, 
represented  by 


V  >  o  -♦  [y  :=  y  -  1) 


the  exit  condition  Bt  is  y  >  0  and  is  not  identically  true,  nor  is  it  necessarily  continuously  enabled. 
Consequently  rules  HSC  and  ALT  are  only  sufficient  for  reasoning  about  programs  that  contain  no 
sempahore  locations.  Once  we  have  semaphore  locations  we  need  a  stronger  rule. 


Let  1  be  a  (possibly  semaphore)  location  and  E  =  {nq,  .  .  .  ,  n^}  the  set  of  all  the  transitions 
originating  in  l .  Let  ft  and  c^,  for  i  =  1,  . . .  ,  fc,  be  respectively  the  location  to  which  at  leads  and 
the  condition  enabling  it. 


c i  (y)  [ y  ■=  f\[y)] 


Cfc( V)  -  (27  :=  h(v)\ 


The  Semaphore  Rule  (SEM): 


Let  <p,  \  and  ip  be  state  predicates  such  that: 

A:  <p  is  (at  l  A  x)“in variant. 

This  means  that  as  long  as  we  stay  at  l  and  \  ,s  preserved,  so  is  <p. 

B:  Any  of  the  atyi  =  I  transitions  of  XI,  which  preserves  x  and  is  initiated 

With  <p  true,  achieves  ip,  i.e,,  ip  will  hold  after  the  transition.  This  is  expressed  by: 

[ate  A  ct(y)  A  A  x(*;  V)  A  x(r»(3f); 3  ^{rt(w)\  ft(y)) 

for  every  i  =  1,  . . . ,  k. 

C:  If  (<p  A  x)  bolds  permanently  at  t  then  eventually  one  of  the  cx,  1  =  1,...,  k ,  will 
be  true.  That  is 


E  □(«!</  A  4>  A  x)  =>  <>VX=ic»- 

Then  under  these  conditions  we  may  conclude: 

£  (atl  A  (p  A  Dx)  3  Oip. 

That  is,  being  at  l  with  <p  true  and  being  assured  of  the  continuous  holding  of  \ 
guarantees  the  eventual  realization  of  ip . 


Note  that  condition  C  of  SKM  is  weaker  than  condition  C  of  ESC  in  that  it  does  not  require 
lit  =  Vi=ic»  he  true  whenever  att  A  (p  A  X  holds  but  only  requires  it  to  be  eventually 
realized.  However,  condition  C  here  is  a  temporal  statement  and  requires  temporal  reasoning  for 
its  justification,  while  condition  C  of  EjSC  is  static  and  requires  only  classical  justification. 

To  justify  this  rule  consider  an  execution  w  hie  ft  starts  at  £  with  p  true  and  \  continuously 
maintained.  Condition  A  ensures  that  as  long  as  we  stay  at  f,  <Mx  will  be  preserved.  It  is  impossible 
that  we  stay  at  £  forever  because  by  condition  C  this  would  imply  that  A’/  =  (  rly  which  is 

the  full  exit  condition  of  node  £,  is  enabled  infinitely  often  while  process  / is  never  scheduled.  By 
fairness  we  must  have  P3  scheduled  at  least  once  while  lit  is  true.  This,  by  condition  B  and  the 
permanence  until  this  moment  of  <p  A  atl  A  x>  will  cause  ip  to  be  realized. 

ft  is  important  to  realize  the  differences  between  a  “semaphore  location'*  and  a  “busy  waiting” 
location.  For  comparison  consider  the  following  two  simplified  cases: 

(o)  Semaphore  location: 


(b)  Busy  watting  location : 


(a)  In  the  so  map  h  ore  location  ease  the  fairness  requirement  demands  that  the  scheduler  will 
schedule  this  process  at  least  once  while  its  c  condition  is  true  provided  the  condition  is 
true  infinitely  often.  Thus  for  the  SKM  principle  which  is  appropriate  to  this' case  we  only 
require  that  c  is  realized  infinitely  often.  This  is  exactly  condition  C  which  in  this  case  is 

N  D(att 

or  is  equivalently 


(b)  For  the  “busy  waiting"  situation,  since  the  exit  condition  is  c  V  — c  =  true ,  the  only 
obligation  that  the  scheduler  has  is  to  eventually  schedule  this  process.  There  is  however 
nothing  to  prevent  the  process  from  being  scheduled  at  exactly  these  instants  in  which  c 
is  false.  Consequently,  an  infinitely  often  true  c  is  not  sufficient  to  ensure  an  exit  to  t . 
Instead  we  must  require  a  stronger  guarantee,  that  c  be  permanently  true.  Therefore,  the 
corresponding  condition  C  for  the  “busy  waiting”  situation  for  this  case  is 

N  (atf  A  <t>  A  x)  3  c> 

which  is  equivalent  to 

N  n(atf  A  <f>  A  x)  3  Oc. 

That  is,  if  staying  forever  at  t  guarantees  the  permanence  of  c  then  we  will  eventually  exit 
from  l  to  £f.  This  can  be  derived  from  the  ESC  rule. 

Since  N  OcD<)cwc  have  the  following  robustness  metatheorem : 

A  program  that  has  been  proven  correct  for  an  interpretation  of  its  semaphores 
as  “busy  waiting”  locations,  is  automatically  correct  for  the  implementation 
of  these  locations  as  t  rue  “semaphore”  locations. 

Consider,  for  example,  the  problem  of  accessibility  of  critical  sections  for  the  mutual  exclusion 
program  M  1C.  In  the  roof  to  be  given  later  we  will  reach  the  conclusion 

*  Oat <5  D  OD(j/i  5^  y-i), 

where  the  instruction  at  is 

^5  :  loop  while  y\  =  t/2. 

Thus,  this  proof  is  sound  lor  the  interpretation  of  the  loop  primitive  ns  “busy  waiting”.  Hy 
the  robustness  motafhoorern  any  more  cHirient  implementation  of  the  loop  primitive,  in  fact  any 
implementation  at  all  which  is  “just”,  i.c.,  eventually  schedules  each  process,  will  also  cause  the 
program  to  behave  correctly. 


The  Single  Path  Rule 

In  this  derived  rule  we  repetitively  apply  the  ESC  rule  to  a  chain  of  locations. 
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Let  /|  t  •  •  •  ,  fk  *  i  be  a  path  of  deterministic  location*  in  l*}  with  an  immediate  I ransil ion 
a,  from  every  f%  Lo  ft  *  i ,  t  “  I ,  .  ,  k. 


ly  :=  /i(y)l 


*'*(y)  ♦  ly  :  ■  A(y)| 

V  «; 


The  Single  Path  Rule  (SP): 

Let  .  ,  <t>k>  ami  <f>k  +  \  —  V’  be  predicates  such  that: 

A:  Karh  0»  is  {atfl  A  \)  invariant,  t  =  I,  . . .  ,k. 

This  means  that  as  long  ;is  we  slay  at  ?%  and  \  is  preserved  so  is  </>t 

B:  Karh  transition  nr,,  i  =  I,  .  .  .  which  pres*  rves  \  and  is  initiated  with  0,  true 
achieves  0t  +  i ,  that  is 

[at  t\  A  r,(y)  A  ij)  A  \(*:y)  A  \  ( r.(  tt  );  ")  <t>,  ,  i  (r,(  n );  /,( i/)). 

C:  (<£t  A  \)  at  t%  ensures  that  c,  is  true,  t.r., 

|oi/,  A  <{>,  A  x|  0  C,. 

Then  umler  these  three  conditions  we  may  conclude 

N  |V*  ,(aO,  A  0,)  A  □  \)  J  Of 

That  is,  if  wo  start  any  where  in  the  path  with  the  appropriate  0,  true  and  \  coni  inu<»udy 
maintained  we  eventually  wind  up  having  tp. 


This  rule  is  obviously  a  generalization  of  KSC  and  is  justified  by  a  repeated  application  of 
I5SC  to  .  .  .  Jk  (with  >],  =  {o,})  respectively. 

This  rule  can  lx*  somewhat  generalized  to  a  more  general  graph  t  han  a  pat  h.  The  SI*  principle 
also  applies  instead  to  a  tree  in  which  every  node  has  an  edge  directed  towards  its  ancestor. 

This  concludes  the  list  of  semantic  proof  rules  reflecting  the  structure  of  the  program  and  its 
influence  on  the  possible  execution  sequences. 

*  *  *  ♦  ♦ 

In  the  following  “formal”  proofs  of  eventuality  properties,  we  will  intentionally  omit  manipula¬ 
tions  which  are  pure  temporal  logic  deductions,  since  we  have  not  included  an  axiomatic  system  for 
temporal  logic  in  this  paper.  Instead  we  will  justify  these  deductions  by  saying  “temporal  reason¬ 
ing”  or  “temporal  deduction.”  The  reader  is  invited  to  convince  himself  semantically  that  these 
deductions  are  indeed  sound,  that  is,  any  sequence  that  satisfies  the  premises  must  also  sat  isfy  the 
consequence.  Thus  our  proofs  will  consist,  similarly  to  regular  proofs,  of  a  sequence  of  temporal 
formulas  with  a  justification  for  each  line  in  the  sequence.  A  line  in  a  proof  may  be  justified  in 
one  of  the  following  ways: 
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(а)  If  it  is  a  valid  first-order  temporal  logic  formula. 

(б)  If  it  is  an  instance  of  one  of  the  proof  rules  above. 

(c)  If  it  is  a  logical  or  temporal  consequence  of  some  preceding  lines. 

(’•iven  a  deductive  system  for  our  logic  (set*  [MAN2])  we  will  be  able  to  justify  steps  of  the 
form  b  and  c  using  the  axioms  ami  rules  of  inference.  Alternatively,  c  steps  can  be  justified  using 
a  decision  procedure  for  validity  in  (propositional)  temporal  logic  ([IIMP]).  Lor  our  purpose  of 
presenting*  proofs  at  a  level  which  is  not  too  formal,  yet  displays  sufficient  detail  to  be  convincing, 
the  style  of  semantic  proofs  seems  most  appropriate. 

Note  that  our  only  reference  to  the  program  itselT  is  through  the  proof  principles  KSC,  ALT, 
SKM  and  Sl\ 

In  presenting  formal  (semantic)  proofs  we  will  work  our  way  gradually  through  examples  that 
use  only  the  KSC  and  SI*  rules  first,  then  examples  that  use  also  the  ALT  rule  and  finally  examples 
using  semaphores  and  the  corresponding  SKM  rule. 

KXAMPLK:  COUNTING  TRUK  NOOKS 

Consider  first  the  use  of  eventuality  chains  in  proving  the  total  correctness  of  the  sequential 
program  TN  for  counting  tin*  nodes  of  a  binary  tree. 

Program  TN  (Counting  the  nodes  of  a  tree): 

S  :=(*),  C  :=  0 
A)  •  if  S  =  ()  then  goto  it 

t\  :  (r,S):=[M[S),U[S)) 

I*  :  if  T  =  A  then  goto  Ai 

Ai  :  C  :=  C  +  l 

S:=t(r)r(T)-S 

:  goto  A) 
t€  :  halt. 

The  program  operates  on  a  tree  variable  T  and  a  variable  S  which  is  a  stack  of  trees..  The  input 
variable  X  is  a  tree.  The  output  is  the  value  of  the  counter  C.  Kach  node  in  a  tree  may  have  zero, 
one  or  two  descendants. 

The  available  operations  on  trees  arc  the  functions  t(T)  and  r(T)  that  yield  the  left  and  right 
subtrees  or  a  tree  T  respectively.  If  the  tree  does  not  possess  one  of  these  subtrees  the  functions 
return  the  value  A. 

The  stack  S  is  initialized  to  contain  the  tree  X .  Taking  the  head  and  tail  of  a  stack  (functions 
hd  and  tl  respectively)  yields  the  top  element  and  rest  of  the  stack  respectively.  The  operation  in 
t\  pops  the  top  of  the  stack  into  the  variable  T.  The  operation  at  pushes  both  the  right  subtree 
and  the  left  subtree  of  T  onto  the  top  of  the  stack. 

At  any  iteration  of  the  program,  the  stack  S  contains  the  list  of  subtrees  of  X  whose  nodes 
have  not  yet  been  counted.  Kach  iteration  removes  one  such  subtree  from  the  stack.  If  it  is  the 


empty  subtree,  T  =  A,  we  proceed  to  examine  the  next  subtree  on  the  stack.  If  it  is  not  the  empty 
subtree  we  add  one  to  the  counter  C  and  pushes  the  left  and  right  subtrees  of  T  to  the  stack. 
When  the  stack  is  empty,  S  =  (  ),  the  program  halts. 

Denoting  by  (A')  the  number  of  nodes  in  the  tree  X ,  the  statement  to  be  proved  is  formulated 
as 

Theorem :  I*  atio  D  0(atlt  A  C  —  |X|). 

In  order  to  prove  the  theorem  we  first  prove  a  lemma: 

Lemma:  *  [atlo  A  S  =  t  s  A  (?  =  cj  D  O[atfo  A  S  =  «  A  C  =  c  +  |f|J. 

The  lemma  states  that  being  at  /o  with  a  tree  t  at  the  top  of  the  stack  S,  we  are  assured  of 
a  later  visit  at  to  where  t  has  been  removed  from  the  stack  and  its  node  count  \t\  has  been  added 
to  C . 

Denote  by  li(n)  the  statement: 

K(n)  :  Vf,  s,  c  {[a*  A  S  —  t  -s  A  C  —  c  A  \t\  <  n]  D 

0\at?{)  A  S  =  s  A  rr  =  <■  4-  U!]}. 

This  statement  is  the  restriction  of  the  lemma  to  trees  with  node  count  not  exceeding  n  for  some 
natural  number  n  >  0. 

Proof  of  Lemma : 

The  lemma  can  then  be  stated  as  N  Vra.  /s(n);  it  is  proved  by  induction.  We  have  to  show 

(«)  **  /,;(°) 

(6)  N  E(n)  D  E(n  +  l). 

(a)  Since  bs  ^  ()  and  |f|  =  0  D  t  =  A  we  may  apply  the  SI’  rule  to  the  path  — ►  (\  f->  — ►  f0 

and  obtain 

1.  *  \att0  A  S  =  t-s  A  C  =  c  A  |£|  =  0]  D 

O(af/o  A  S  =  h  A  C  —  c]. 

This  establishes  W  m- 

(b)  To  show  Is  /i'(n)  D  /!r’(n  +  1),  consider  an  arbitrary  n,n  >  0,  and  assume 

2.  N  £(»). 

Then 

3.  *  \atto  A  S  =  t' •  s'  A  C  —  c'  A  |t'|  =  n+l)  D 

O(a^o  A  S  =  £({')•  r(f')  •  s'  A  6’ c' +  1  A  |C|  =  n  +  I] 
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by  the  SI*  rule  applied  to  the  path  to  —*  ti  —*  t%  —*  ^  t^  -+  ^o>  using  |t  |  n  +  1  3  f  ^ 

A. 

We  now  use  an  instantiation  of  /'y’(n)  with  t  =  t(t') ,  0  =  T(t')  •  0  ,  and  c  =  c  4-  1  (which  is 
justified  since  |t|  =  |f(t')|  <  n  +  l)  to  obtain 

4.  ►  [at  to  A  S  =  t{t')  ■  r{ t')  •  0'  A  C  =  d  +  1)  3 

O[otf0  A  5  =  r(t')  •  0'  A  C  =  c'  +  1  +  K( <')!)• 

By  3  and  1  we  have 

5.  *  [atf0  A  S  =  t'  s'  A  C  =  c'  A  |t'|  —  n  f  I]  3 

O[atf0  A  S  =  /•(<')  •  s'  A  C  =  c’  +  !+|*(t')|  A  |t'|  =  n  +  l]. 

We  now  apply  an  instance  of  /i(n)  again,  this  time  with  t  —  r(t  ),  0  —  0  ,  and  c  =  c  +  I  + K(t  )| 

(which  is  justified  since  |t|  =  |r(f')|  <  n  +  I)  to  obtain 

6.  *  [alto  A  .S’  =  r(t')  •  s'  A  C  =  c'  4-  I  +  K(t')||  3 

O[at/0  A  S  =  0'  A  C  =  c'  +  1  +  |/(f')|  +  k(0ll- 

Hy  5  and  6  we  have 

7.  N  [a/^o  A  S  —  t'  •  s'  A  C  =  c'  A  |f'|  =  n+l|  3 

O[at^0  A  5  =  0'  A  (7  =  e' +  I  +  1^)1  +  |f(<')ll- 

Using  the  property 

|<|  >  0  =>  |t|  =  1  +  K(0I  +  HOI 

we  obtain: 

8.  ►  [at  to  A  S  =  t'  •  s'  A  6’  =  c'  A  |t'|  =  n  +  1]  3 

O(af/o  A  S  =  «'  A  C  =  c'  +  It'll. 

Universally  quantifying  over  the  variables  0'  and  c'  and  then  renaming  them  to  f,  «  and  c, 
respectively,  we  obtain 

9.  N  VJ,  *,  c  { ( at  Iq  A  S  ~  t  »  A  C  =  c  A  |i|  =  n  +  1]  3 

O(«*/0  AS  =  *AC  =  c+  \t\]}. 


l/ine  9  holds  under  assumption  2  for  every  n,n  >  0.  Combined  with  I  this  gives 
10.  /^(n)  *  ft(n+l). 
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Therefore,  by  the  deduction  theorem  we  have 


11.  N  E(n)  D  E(n  -I-  1). 

This  concludes  the  proof  of  the  lemma. 

Proof  of  Theorem : 

To  prove  the  theorem  we  observe  that 

12.  »  [ateQ  AS  =  (X)  A  (7  =  0)  D  O(a^0  A  S  =  { )  A  C  =  \X\] 
by  the  lemma  with  t  =  X ,  8  =  ( ),  and  c  —  0.  But 

13.  »  [att0  A  S  =  ()  A  C  =  \X\]  D  O [atle  A  C  =  |AT|] 
by  SP  applied  to  Iq  —*>  le.  Therefore,  by  combining  12  and  13,  we  have 

14.  W  [otto  AS  =  {X)  AC  =  0]  D  0[atl€  A  C  =\X\\ 

*.e., 

15.  *  0[att.  A  C=\X\\.  | 

One  cannot  fail  to  set'  the  close  resemblance  between  the  temporal  proof  presented  here  and 
the  informal  inorrnittent- assertion  proof  conducted  in  [BUR]  and  [MW].  Our  SP  principle  replaces 
the  “little  hand  simulation”  of  [BURj. 

EXAMPLE:  MUTUAL  EXCLUSION  (DEKKKR)  FORMAL  PROOFS 

We  will  now  present  a  formal  proof  of  the  accessibility  proof  of  the  program  f)K .  An  informal 
proof  of  this  was  presented  before  and  we  advise  the  reader  to  refer  to  it  while  reading  the  following 
proof.  The  accessibility  statement  to  be  proved  is 

Theorem:  N  att[D  Oat t 7. 

We  will  make  use  of  the  invariants  derived  before,  namely: 

N  □((?»  A  Q2  A  Q3  A  Q4) 

where 

Q\  '  (l/i  =  7*)  =  4} 

Q'l  •  (V2  —  T)  =  0l{m2,m3,m4(m7,m8} 

Qs  :  —  at{t/9  ^h}  V  ^af{m7,m8} 
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and 


Qi  :  [a({^3 . 4}  A  (t  =  2)]  3  ~  at{m8,m9)mo}. 

Q4  was  proved  by  the  standard  invariance  rule  in  Lemma  H  and  will  not  be  reproven  here. 

The  proof  of  the  theorem  consists  of  a  sequence  of  lemmas. 

Lemma  A:  *  (ai  ^2,3  A  (t  =  1)1  3  O  atl7 
Proof  of  Lemma  A: 

1.  *  [ate2, 3  A  (i=l)]  3  {□[a^2,3  A(i  =  1)1  V  Oai*7} 

by  the  ALT  rule  at  ^2|3  where  <j>  is  t  =  1.  Note  that  by  t  =  1 ,  the  £3  -►  t4  transition  is  never 
possible. 

2.  [att2, 3  A  (t  =  1)  A  aims]  3  [ai£2|3  A  (t  =  l)  A  aim5  A  (2/2  =  F)| 

by  Q2* 

3.  [ai^2,3  A  (i  =  1)  A  aim5  A  (y2  =  /'')]  3  O  ai<7 

by  S/*  applied  to  the  path  ^3  — ►  £2  ^7  where  <£3  =  <f>2  is  (i  —  1)  A  aims  A  (y2  =  P)  and  ip  is 

att7. 

4.  *  {□[ai/2,3  A  (i  ==  1)]  A  aims}  3  Oai/7 

is  a  temporal  conclusion  of  2  and  3. 

This  corresponds  to  case  a  of  Lemma  A  in  the  informal  proof. 

Next  we  have 

5.  *  □[ at/2,3  A  (/=  l)]  3  0{atf2t3  A  (t=  1)  A  (1/1  =T)\ 

by  Qi. 

6.  *  {□|a<^,3  A  (<  =  I)  A  (yi  ='/’)]  A  at{mt..4;  m6}}  3  O  afm5 

by  the  SP  rule  applied  to  the  path  mg  — *  mi  — *  m2  —*  m3  — *  m*  -♦  rrij  where  x  is  0^2,3  A  (t  = 

1)  A  (y i  =  T). 

7.  *  {□[a<#2,3  A  (t  =  1)J  A  ai{mi. ,4,  mg}}  3  0  atm5 
by  5  and  6. 

8.  *  {D[at t2i2  A  (<  =  I)]  A  o/mt  6}  3  Oatt7 

M 


by  7  and  4. 


This  covers  cases  b,  c ,  d,  e,  /  of  the  informal  Lemma  A. 

We  have 

9.  1=  atrriQ  3  [atmQ  A  (r/2  =  F)] 

by  Q2. 

10.  (■  [o<m0  A  (1/2  =  ^))  3  {□(<»< m0  A  (j/2  =  ^)|  V 
by  ALT  at  mo  where  <f>  is  y2  =  F.  Therefore 

11.  N  a*m0  3  [□(2/2  =  /'")  V  O  atm  1] 
by  9  and  10. 

12.  »  [0(2,2  =  F)  A  at(2t 3  A  (*  =  1)1  3  O  att7 

by  the  SP  rule  applied  to  £3  — ►  I2  — ♦  £7  where  <£3  =  <£2  is  £  =  1  and 

13.  H  {□[a^2f3  A  (*=1)1  A  □(J,2  =  /'’)}  D  <>at^ 
is  a  consequence  of  12.  By  taking  the  disjunction  of  13  and  8  wc  get 

14.  N  { Q(fl* /2,3  A  (*=l)j  A  (□(»,  =  f,)Va<mi..«)} 

and  then 

15.  £  {□[<**^2,3  A  (*  =  1)]  A  a*mo}  3  O  atl7 

is  a  consequence  of  11  and  14. 

This  covers  case  g  of  the  informal  Lemma  A. 

We  also  have 

lb.  £  {□[a*£2,3  A  (*=!)]  A  0*7717  .9}  3  O  a*mo 

by  the  SP  rule  applied  to  the  path  m7  — ►  m8  — ►  — ►  mo- 

17.  *  {□[a*^2,3  A  (*  ==  1)]  A  0*7717  .9}  3  Oa*/7 

by  15  and  16. 

This  covers  case  h  of  the  proof. 

Taking  the  disjunction  of  8,  15  and  17  we  obtain 

18.  *  □[o<f2,3  A(*  = =  1)1  3  Oatt7. 
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O  at  mi } 


is  2/2  =  F. 


3  Oati7 


Taking  together  1  and  18  yields 


19.  N  [att 2,3  A  (t  =  l)]  3  O  att 7 
which  is  the  result  of  Lemma  A. 

Lemma  ll  is  an  invariance  property  M  Q\  and  is  proved  using  the  invariance  principle. 

Lemma  C:  N  att$  3  O  at£ 7 
Proof  of  Lemma  C : 

1.  £  3  {□  a*4>  V  0[fl^6  A  (*  =  1)]} 

by  the  ALT  rule  at  ^5. 

2.  N  □(!  =  2)  V  0(t  =  1) 

is  a  temporal  tautology  using  the  obvious  invariance  (t  =  1)  V  (t  =  2). 

3.  *  Date*  3  {n[atis  A  {t  =  2)]  V  0[atth  A  (I  =  1)]} 

is  a  temporal  consequence  of  2. 

4.  N  [atlc,  A  =  1 )]  3  0[a*£6  A  (*=!)] 

by  the  KSC  rule  at  where  <j>  is  t  =  l. 

5.  N  □  al/’s  3  {□[a^5A(<  =  2)]  V  0[atl«  A  (f  =  I)]} 

is  a  temporal  consequence  of  3  and  A. 

6.  N  ateh  3  {□[a^5A(l  =  2)]  vOKaNI)]} 

by  l  and  5. 

7.  N  □[fll4A(l  =  2)|  3  0[a^5  A  (*  =  2)  A  (yi  —  f1)  A  atm\  ^\ 

by  Q  i  and  Q4. 

We  have 

8.  £  {n\at£s  A  {t  =  2))  A  alm7}  3  <>[<21/5  A  (I  =  1)] 

by  the  KSC  rule  at  m7  where  x  is  at£r0  A  (I  =  2),  V;  is  a  I £5  A  (I  =  I). 

9.  N  {D(a^5  A  (1  =  2)]  A  aim?}  3  0[al A  (I  =  l)] 
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by  8  and  4. 

This  covers  ease  a  of  the  informal  Lemma  C. 

Denoting 

Xo  :  atC 5  A  (<2  =  2)  A  (2/1  =  F)  A  aimu 

we  have 

10.  [□  Xo  A  at{mit2,mA,1}\  D  O[xo  A  a«m7] 

by  the  SP  rule  applied  to  the  path  m 4  — ►  7715  — *  mg  — ►  m\  — ►  m2  — *•  7777. 

11.  E  [Dxo  A  a2{mI>2,m4..7}]  D  0[a^6  A  (<  =  l)] 
by  10  and  9. 

This  covers  eases  b,  d,  e,  f,  g  of  the  informal  Lemma  C. 

We  have 

12.  N  [Oxo  A  atm^\  D  O  atm<i 

by  the  ESC  rule  at  m3.  Thus 

13.  N  [□  Xo  A  atm$\  D  0[a^6  A  (*  =  1)] 

by  1 1  and  12. 

This  covers  case  c  of  the  informal  Lemma  C. 

Taking  the  disjunction  of  11  and  13  and  noting  that  xo  3  a^rr^i..7  we  obtain 

14.  *  Dxo  0[oK6A(l=l)|. 

Combined  with  7  this  gives 

15.  *  □[a14A(1  =  2)J  3  Ojflf^  A  {t  =  l)]. 

Combined  with  6  we  obtain 

16.  £  ati 5  3  0[af/6  A  («  =  l)]. 

Now  we  can  derive 

17.  £  \at£ i(6  A  (t  =  1)]  3  0[a^2,3  A  (t  =  l)j 


1 


by  the  vSP  rule  applied  to  the  path  ^g  ^1  — ►  ^2  where  <f>$  =  <j>\  is  (t  —  1),  ip  is  atf^t 3  A  (£ 
Using  now  Lemma  A  we  obtain 


1). 


18.  W  A  (*=  I))  J  O  atl7 

which  together  with  16  gives 

19.  *  at(5  DO  at  t7. 
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Proof  of  Theorem : 


Consider  now  the  final  proof  of  the  theorem 


1. 

a^i 

3  O  atl2 

2. 

N 

3  0[att 7  V  0^3) 

3. 

N 

at  l2 

3  [O  att7  V  O  att3] 

4. 

N 

at£$ 

3  {0{att 2  A  (<  =  1)]  V  O 

5. 

E 

[at  £2 

A  (t  =  1)]  O  O  at  l7 

6. 

N 

at  £4 

3  O  atth 

7. 

E 

at  £4 

a 

0 

n 

8. 

at  £3 

3  O  aU7 

9. 

N 

at  £2 

3  O  ati7 

10. 

£ 

at£\ 

\  3  O  at  t7 

This  concludes  the  proof  of  the  theorem. 


by  ESC  rule  at  t\ 
by  the  ESC  rule  at  t2 
which  is  temporally  equivalent  to  2 
by  the  ESC  rule  at  £3 
by  Lemma  A 
by  ESC  rule  at  £4 
by  Lemma  C  and  6 
by  4 ,  5,  and  7 
by  3  and  8 
by  1  and  9 


EXAMPLE:  CONSUMER  PRODUCER 

Consider  next  proving  accessibility  for  the  Consumer-Producer  program  (program  CP).  We 
assume  that  the  computations  at  £q  and  at  m 7  eventually  terminate.  The  statement  to  be  proved 
is: 

Theorem :  £  at£$  D  O  at  £3 

We  will  use  in  our  proof  the  invariants  which  were  established  before 

N  □(Qo  A  Q\  A  Qv) 

where 

Qo  :  (cf  >  0)  A  (cc  >  0)  A  (s  >  0) 

Q\  :  a^3..5  +  afm2..5  +  *  —  l 

Q2  :  e/  +  ce  +  att2..e  +  flfmu  =  A/ 

Note  that  this  is  the  first  example  that  uses  semaphores. 
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Assuming  that  the  computation  of  y\  at  lg  .eventually  terminates  wc  may  conclude 


*  atiQ  D  O  att\. 

The  rest  of  the  theorem  is  proved  by  two  lemmas.  Lemma  A  ensures  that  we  get  from  i\  to  l2 
and  Lemma  B  ensures  that  we  get  from  l2  to  £3. 

Lemma  A:  N  atty  D  O  atl 2 

Proof  of  Lemma  A: 

Since  location  contains  a  semaphore  request  instruction  wc  will  use  the  semaphore  rule  S KM 
to  show  that  eventually  Pi  will  be  granted  access  to  l2-  The  premise  needed  for  the  SI  CM  rule  is 
Ratty  D  0(ce  >  0).  An  intuitive  interpretation  of  this  premise  is  that  if  we  wait  long  enough  at 
l\ ,  ce  will  eventually  turn  positive.  To  show  this,  we  give  first  an  informal  exposition  inspecting 
the  different  locations  in  which  P2  may  currently  be. 

case  a:  P2  is  at  m§.  Then  eventually  it  will  execute  the  releasc(ce)  instruction  to  get  ce  >  0 
as  required. 

case  b :  P2  is  at  m2,  m3,  or  m 5.  Then  it  will  eventually  get  to  m6  which  by  case  a  will 
cause  ce  to  turn  positive. 

case  c:  P2  is  at  m\.  Then  since  f\  is  at  l\,  a  =  1  by  Qy.  Since  wc  assume  that  f\  is  waiting 
at  l 1,  s  will  remain  1  as  long  as  P2  stays  at  m2.  By  the  semaphore  axiom  applied  at  m j, 

P2  will  eventually  proceed  to  m2  and  by  case  b ,  ce  will  eventually  turn  positive. 

case  d:  P2  is  at  mo-  Then  since  Pi  is  at  t\f  cf  -\-ce  =  N  >  0  by  Q2.  If  ce  >  0  we  have  proven 
our  claim.  Otherwise  c/  >  0  and  will  remain  so  as  long  as  P2  stays  at  mo.  Again  by  the 
semaphore  axiom  P2  must  eventually  advance  to  m\  and  then  by  case  c,  ce  will  eventually 
turn  positive. 

case  e:  P2  is  at  my  or  mg.  It  will  eventually  get  to  mg  and  then  by  case  d,  cc  will  eventually 
turn  positive. 

Let  us  now  proceed  with  the  more  formal  proof: 

1.  £  [Ratty  A  atm^]  D  [Ratty  A  atm$  A  (ce  >  0)] 

by  Qo- 

2.  N  [Dai/i  A  at  mg  A  (ce  >  0)]  D  0(ce  >  0) 

by  ICSC  applied  at  mg  where  <f>  is  ce  >  0,  x 's  all|,  $  is  C€  >  0. 

3.  N  [Dalit  A  aims]  D  0(ce  >  0) 

is  a  conclusion  of  1  and  2. 

This  corresponds  to  case  a  above. 

We  have 

4.  N  [Dalit  A  alm2..5|  D  Oalm6 
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by  the  SP  rule  applied  to  the  path  m2  — *  m3  — ►  m4  — ►  — ►  me. 

5*  £  [Oat 1 1  A  a£m2.,5)  3  0(ce  >  0) 

is  a  conclusion  of  4  and  3. 

This  covers  case  6  above. 

We  have 

6.  £  [ail  1  A  a£mtj  3  (s  =  I) 

byQi- 

7.  N  [datli  A  Datmi]  D  <0(s  =  l) 

is  a  temporal  consequence  of  6. 

8.  E  [Oatl i  A  atm i]  3  O  atrri2 

by  the  SEM  rule  at  mi  where  x  ls  &tt\. 

9.  N  [Dali]  A  aim!]  3  <>(ce  >  0) 

is  a  conclusion  of  8  and  5. 

This  covers  case  c. 

We  have 

10.  ¥  [Dalit  A  atm0]  3  \[cj  >  0)  V  (ce  >  0)] 

by  <?2* 

11.  £  D(alli  A  atmo  A  (c/  >  0))  3  0(c/  >  0) 
is  a  trivial  temporal  tautology. 

12.  £  [Dafli  A  alm0  A  (cf  >  0)]  3  O  almt 

by  the  SEM  rule  at  mo,  where  <f>  is  cf  >  0,  x  18  l* 

13-  £  [Dalit  A  almo  A  [cf  >  0)]  3  0(ce  >  0) 

is  a  conclusion  of  12  and  9. 

14.  *  [Dallj  A  aim0]  3  0(ce  >  0) 

by  a  disjunction  of  10  and  13. 

This  corresponds  to  case  d. 
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We  have 


15.  ¥  [Oatl{  A  afr^sl  3  O  a*mo 
by  the  SP  rule  applied  to  the  path  ly  — ►  lg  — i ►  to. 

16.  N  [Dafti  A  0*17*73]  3  0(ce  >  0) 

by  15  and  14. 

This  covers  case  c. 

By  taking  the  disjunction  of  3,  5,  9,  14  and  16  we  obtain 

17.  m  □  atl{  D  0{ce>  0). 

By  applying  the  SEM  rule  at  we  obtain 

18.  ¥  atli  D  Oatt2.  | 

Lemma  B:  ¥  atlz  D  <>0*^3 
Proof  of  Lemma  B : 

Mere  again  we  will  apply  the  SEM  rule,  this  time  at  1%.  The  needed  premise  Tor  its  application 
is: 

¥  □  atl2  3  0(8  >  0). 

By  inspecting  the  current  location  of  P 2  we  distinguish  three  cases: 
case  a:  Pz  is  at  rn 5.  It  will  eventually  advance  to  rn $  and  turn  s  positive. 

case  6:  (\  is  somewhere  in  {1712,1713,77*4}.  It  will  eventually  get  to  >7*5  and  then  by  case  a  will 
turn  s  positive. 

case  c:  Pz  is  somewhere  in  {17*0,17*1,17*6,11*7,1718}.  By  Q 1,  since  P\  is  at  1 1,  s  is  currently  equal 
to  1. 

Thus  the  more  formal  proof  is  given  by: 

1.  ¥  (da*/?  A  alms]  D  [Oa*l2  A  0*1115  A  (s  >  0)] 

by  Qo- 

2.  *  [Da^2  A  atm5  A  (*  >  0))  D  0(s  >  0) 

by  BSC  applied  at  m®  where  <f>  is  *  >  0,  \  18  is  «  >  0 

3.  *  (□  at li  A  otm5)  D  0(«  >  0) 
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is  a  conclusion  of  1  and  2. 


This  covers  case  a. 

We  have 

4.  N  [□  at A  aem2. .4 ]  ^  <>(0*1715) 

by  the  SP  rule  applied  to  the  path  m2  — ►  m3  — ►  m4  — ►  ms. 

5.  N  [Oat  (2  A  a*m2..4j  ^  O(o  >  0) 

by  4  and  3. 

This  covers  case  6. 

We  have 

6.  N  (Cla^A  ~  atm 2. .5]  ^  (s  —  1) 

by  Q\. 

7.  N  [Da*^  A  — o*m2..5]  =>  <>(s  >  0) 

by  6. 

This  covers  case  c. 

By  taking  the  disjunction  of  3,  5,  and  7  we  obtain 

8.  N  CU*^  3  0(8  >  0). 

Applying  the  SEM  rule  at  yields 

9.  fe  att2  3  Oatt3, 
which  is  the  desired  Lemma  B.  I 

EXAMPLE:  BINOMIAL  COEFFICIENT 

We  will  now  establish  the  termination  of  the  program  BCy  for  the  distributed  evaluation 
of  a  binomial  coefficient*  Since  we  have  already  proved  the  partial  correctness  of  this  program, 
termination  will  guarantee  total  correctness* 

The  statement  to  be  proved  is: 

Theorem:  N  0(atf€  A  atrn€) 

The  initial  condition  associated  with  the  proper  computation  of  the  program  is 

at  to  A  at  rrig  A  (y\  =  n)  A  (j It  =  0)  A  (j/3  =  •)  A  (1/4  =  1)  A  (0  <  k  <  n). 
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We  will  use  in  our  proof  the  following  invariants  that  were  established  above: 


*  D(Q0  A  Qx  A  Q*), 

where 

Qo  is  atl^.A  +  atrni'G  +  y\  =  1 
Q\  is  ((n  ~  k)  <  y\  <  n)  A  (0  <  y2  <  *) 

Q2  is  at  D  (y{  —  n-k). 

Wc  start  by  proving  a  sequence  of  lemmas: 

Lemma  Ai:  N  [atl \  A  (y\  =  u)\  D  0[att2  A  (2/1  =  u)] 

This  lemma  ensures  that  wc  never  get  stuck  at  t\  which  is  a  semaphore  instruction. 

Proof  of  Lemma  Ai: 

The  proof  distinguishes  three  cases  according  to  the  current  location  of  P2.  In  all  cases  we 
assume  that  P\  is  waiting  at  t\. 

case  a:  P2  is  at  mg.  The  next  time  it  will  be  scheduled  will  increment  y 4,  making  it  positive. 

case  b:  P2  is  in  Eventually  it  will  get  to  mg  and  increment  y\. 

case  c :  P2  is  in  {mo,  mi ,  m2,  m3,  m?,  mt}.  By  Qo  and  the  fact  that  P\  is  at  f.\9  y\  is  currently 
positive. 

In  all  three  cases  we  can  show  that  the  value  of  y\  never  changes. 

Thus  we  have: 

1.  N  [CZlatli  A  atrnz\  D  [Dai/i  A  atm$  A  ( y 4  >  0)1 

by  Qo- 

2.  N  (Dail,  A  afm6  A  (2/4  >  0)]  D  0(2/4  >  0) 
by  the  USC  rule  at  mB  where  <t>  is  2/4  >  0,  x  is  atty. 

3. -  I*  [Da/^i  A  o(m6|  D  0(2/4  >0) 

by  2  and  1. 

This  covers  case  a. 

Wc  have 

4.  *  [Daf/i  A  afm^s]  D  O  atmg 
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by  the  SP  rule  applied  to  the  path  rri4  — ►  m$  -*  mg. 

5.  N  [Daf^i  A  afm4>5]  3  ^>(Vi  >  0) 

by  4  and  3. 

This  covers  case  6. 

We  have 

6.  N  [Datli  A  ~aim4,.6]  3  (jm  >0) 

by  Qq.  Therefore 

7.  N  [□  at /|  A  3  0(y4  >  0) 

This  covers  case  c. 

Py  taking  tlie  disjunction  of  3,  5  and  7  we  obtain 

8.  N  Da^i  3  0(</4  >  0). 

Applying  the  S1CM  rule  at  t\  where  <j>  is  =  u  we  obtain 

9.  N  [a^i  A  (i/i  =  «)]  3  0[at/2  A  (2/1  =  t»)].  I 

Lemma  A2:  ¥  {[a^|<<5  A  (y\  =  u  +  I)]  V  [atfg  A  (y\  =  tx)]}  D  0[af  f0  A  (yi  =  w)j 

This  lemma  ensures  that  being  anywhere  in  l\  to  we  return  to  to  with  the  value  of  y i 

smaller  by  I  than  the  original  and  being  at  t$  we  return  to  to  with  the  value  of  y{  unchanged. 

Proof  of  Lemma  A2: 

After  being  ensured  by  Lemma  A\  of  not  being  blocked  at  t\  all  that  remains  is  to  trace  the 
value  of  y\ .  Indeed: 

1.  £  [att\  A  (yi  =  u  +  1)]  3  0[att.2  A  (3/1  =  u  +  1)] 

by  Lemma  A l. 

2.  N  {[at /2..r,  A  (yi  =  t»+ I]  V  [«Oe  A(j/i  =  «))}  3  <0[af /o  A  (yi  =  «)] 

by  applying  live  SI*  rule  to  the  path  t?  — i ►  -h ►  /5  — t ►  t6  — 1 ►  where  =  03  =  <£•<  =  05  is 

y{  =  (u  +  1),  4>s  is  2/1  =  u,  and  0  is  otf0  A  (2/1  =  it). 

3.  N  (at^i  A(j/i  =  «+l)I  3  Ofatt'o  A  (2/1  =  «)| 

by  1  and  2. 

4.  *  {(flt^.,5  A  (yi  =  u  +  1)]  V  (a<<6  A  (2/1  =  «)]}  3  O|at£0  A  (2/1  =  w)l 
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by  2  and  3. 


This  establishes  Lemma  A2.  | 

Lemma  A3:  ^  [ att q  A  (?/j  >  n  —  k)]  3  0[a££e  A  {y\  =  n  —  A)]. 

This  lemma  establishes  the  termination  of  Pi  if  started  at  Iq  with  y\  >  n  —  k. 

Proof  of  Lemma  A3: 

Define  the  auxiliary  assertion: 

£’i(u) :  [at  £0  A  (j/1  =  u)l  3  0[attt  A(yi  =  n  -  k)\. 

We  will  establish  the  lemma  by  showing  that 
N  (u  >  n  —  k)  3  Ei(u ). 

This  wilt  be  established  by  induction  on  u  >  n  —  k.  We  will  have  to  show  first 

(a)  N  E\(n  —  k) 

and  then 

(b)  *  [(t*  >  n  —  fc)  A  £i(u-hl). 

(а)  To  prove  part  a  we  observe  that  E\{n  —  k)  just  says  that  if  we  are  at  Iq  with  y\  =  n  —  A:  we 
will  eventually  get  to  tt  with  y\  =  n  —  A:.  This  is  obvious  since  when  ?/i  =  n  —  A;,  Pt  proceeds 
directly  from  fo  to  fe.  Indeed: 

1.  N  [fl^o  A  (j/i  =n-t)]  3  A  (yi  =  n  —  fc)J 

by  the  ESC  rule  applied  at  /q  where  </>  is  y{  =  n  —  A:  considering  just  the  exit  whose 

enabling  condition  c  is  ?/i  =  n  —  A:.  In  other  words, 

1'.  I*  ft|(n-Jb) 

(б)  To  prove  part  6  wc  assume  that  u  >  n  —  k  and  E\(u)  is  true  and  consider  an  execution  that 
starts  at  £q  with  y\  =  u  -f  1.  Since  u-fl  >  n  —  A;  we  will  proceed  to  t\  with  y  [  =u4-  1.  By 
Lemma  A2  we  will  return  to  £o  with  y i  =  u.  Now  by  the  assumption  of  E\\d)  we  will  eventually 
get  to  te  with  y\  =  n  —  fc. 

For  the  formal  proof,  we  assume: 

2.  *  u  >  n  —  k 

and 

3.  * 

3'.  »*  [at<o  A  (l/t  —  u)l  3  A  (yi  =  n  -  fc)J. 
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Then 


4.  N  (a^o  A  (y\  =  u  +  1)]  3  [attQ  A  (|/i  =  u  +  1)  A  (yi  >  rr—  *)| 

by  2. 

5.  W  [attti  A  (2/1  =  u  +  I)  A  {yi  >  n  -  *)]  3  0[a//i  A  (j/i  =  «  +  1)) 

by  the  ESC  rule  at  /0  using  only  the  to  — ►  /j  exit  whore  0  is  yj  >  n  —  fc. 

6.  *  (at A  (i/i  =  u  +  1)]  3  0[at/|  A  (yi  =  u  +  1)] 

by  4  and  5. 

7.  *  (a(/o  A  (yi=tt+l)|  3  OJat/'o  A  (yi  =  u)) 

by  6  and  Lemma  /12. 

8.  *  [atfo  A  (yi  =  u  +  l)J  3  0[at?c /\(y{  =  n  -  k)\ 

by  7  and  3;;  t.e.,  by  the  definition  of  E| , 

8'.  N  Ei(u-fl). 

Applying  the  deduction  theorem  to  2,  3,  and  8',  we  obtain 

9.  £  (u  >  n  —  k)  3  (Ej(ti)  3  Ei(tt  +  l)]. 

Now  we  may  combine  parts  a  and  b  (if.,  I'  and  9)  to  deduce  the  lemma  using  the  induction 
principle.  | 

Lemma  Ai:  *  0(a^e  A  (yi  =  n  —  A:)] 

This  states  that  no  matter  where  we  are  in  a  properly  initialized  execution  of  the  program, 
we  will  eventually  wind  up  at  t€  with  =  n  —  fc. 

Proof  of  Lemma  Ai: 

There  are  three  cases  to  be  considered  according  to  the  current  location  of  P\. 
case  a:  P \  is  already  at  tt.  Then  we  have  by  Q 2  that  y\  ~  n  —  k. 

case  b:  Pj  is  at  /(j.  Then  we  are  assured  by  Q\  that  yt  >  n  —  fc;  hence,  by  Lemma  A3,  we  will 
wind  up  at  with  3/1  =  (n  —  k). 

case  c:  P|  is  anywhere  else,  that  is  in  {/ 1 ,  ...,^6}*  Then  we  will  eventually  get  to  by 
Lemma  A2,  which  is  already  covered  by  case  6. 

We  proceed  with  the  formal  proof.  We  have 
1.  *  ailt  3  \atle  A  [yi  =  n  —  k)) 
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by  Q2- 


This  corresponds  to  case  a. 

We  have 

2.  *  att0  3  [atto  A  (y\  >n  —  k )] 

by  Q\n 

3.  *  attQ  D  0[atle  A  (yi  =  n  -  fc)] 

by  Lemma  >13. 

This  covers  case  6. 

We  have 

4.  N  af/|..6  D  Oaf£0 

by  Lemma  >12. 

5.  *  a/^i.6  D  0[af/«  A  (yi  =  n  —  fe)] 

by  1  and  3. 

This  covers  case  c. 

Taking  the  disjunction  of  1,  3  and  5  wc  obtain 

6.  *  0[atl€  A  (|/i  =  n  -  *)J 

which  establishes  the  lemma.  | 


We  now  turn  to  the  termination  of  P2. 

Lemma  /JO:  N  [a/m2  A  (y2  =  u)|  3  O [at m3  A  (2/2  =  u)] 

This  lemma  states  that  we  can  never  get  blocked  at  m2. 

Proof  of  Lemma  HQ: 

Hy  Lcrmna  A\  we  arc  guaranteed  that  I\  will  eventually  get  to  (t  with  yx  =  n  —  k.  In  the 
worst  case,  by  the  time  Pj  gets  to  lt,  P2  is  still  waiting  at  m2.  Hut  then  by  Qit  y2  <  /c  and 
yi  n  —  k  $0  that  yi  +  y2  <  n  which  enables  the  exit  condition  and  leaves  it  enabled  until  /  2 
moves.  This  proof  should  not  be  considered  as  saying  that  P2  will  indeed  wait  at  m2  until  l\ 
terminates,  but  this  approach  provides  the  easiest  proof. 

Proceeding  with  more  formal  proof  wc  have 


by  the  ALT  rule  at  m2  where  <j>  is  y 2  =  u. 


2.  *  Dlatmi  A  (y>  =  »))  D  0[ufm2  A  (2/2  =  u)  A  attc  A  (yi  =  n  -  *:)] 


by  Lemma  Ai. 


3.  N  [aim-2  A  (2/2  —  u)  A  a^e  A  (y \  =  n  —  A:)] 

3  |  at  m2  A  (2/2  =  «)  A  af/«  A  (yi  +  y2  <  n)] 


using  2/2  <  *  given  by  (2|. 

4.  N  [a*m2  A  (2/2  =  ti)  A  at/e  A  (2/1  +  2/2  <  n)]  3  0[afma  A  (y2  =  u)\ 

by  ESC  at  m2  considering  only  the  exit  m2  — ►  m3  where  <f>  is  (1/2  =  u)  A  A  (2/1  +  2/2  <  «)• 

5.  N  D[at  m2  A  (2/2  =  u)]  D  0[atm3  A  (y2  =  «)] 
by  2,  3t  and  4. 

6.  H  [afm2  A  (2/2  =  u)]  3  0[atm3  A  (y2  =  «)] 

by  1  and  5.  | 

Lemma  B 1:  N  [ atm 3  A  (y2  =  w)]  ^  0[af  m*  A  (y2  =  u)| 

This  lemma  states  that  /  2  does  not  get  blocked  at  m3  but  eventually  proceeds  to  m\  with  an 
unchanged  value  of  y2. 

It  is  analogous  to  Lemma  /II  and  has  a  very  similar  proof.  In  that  proof  we  distinguish  three 
cases  according  to  the  location  of  They  are:  l\  at  /2  in  {^2,1^},  and  l\  elsewhere.  Their 
analysis  is  identical  to  that  of  Lemma  A\. 


Lemma  /J2:  £  {[atrri\  A  (y2  =  «)]  V  [a£ra2..7  A  (y2  =  u  +  1)]}  3  O[a£m0  A  (y2  =  «+  I)] 

This  lemma  states  that  if  we  are  anywhere  in  mi  to  7717  we  will  eventually  return  to  mQ  with 

y2  properly  adjusted. 

proof  of  Lemma  B 2: 

1.  N  [afm^..7  A  (2/2  =  -h  1 )]  3  0[afTO()  A  (y2  -=  w  +  l)J 

by  the  SI>  rule  applied  to  the  path  — ►  m7  — >  mo  where  <£4  =  <£5  =  <Ae  = =  <£7  is 

]/2  =  u  +  I  and  ifr  is  a£mo  A  (y2  =  u  +  1). 

2.  E  [a<m;i  A  (y2  =  u  +  1)|  3  0[at  m0  A  (y2  =  u  +  1)1 

by  Lemma  B l  and  1. 

3.  t  [afm2  A  (y2  =  u+l)|  3  0[af  m0  A  (s/2  =  «+!)) 
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by  Lemma  BO  and  2. 

4.  *  [atm i  A  (j/2  “  ^)J  3  0(afm2  A  (y2  =  u  +  1)] 

by  the  ESC  rule  at  mj  where  <f>  is  y2  —  u  and  0  is  a*m2  A  (2/2  =  u  +  1). 

5.  *  [afmi  A  (2/2  =  ^)]  3  0[a* m0  A  (2/2  =  u  +  1)] 

by  4  and  3. 

By  taking  the  .disjunction  of  1,  2,  3  and  5  we  obtain: 

6.  E  {[atm\  A  (2/2  =  ^)j  V  [a<m2.. 7  A  (y2  =  1*  +  1)1}  D  O[a^rn0  A  (2/2  =  u  +  1)]- 

Lcmma  Z?3:  N  [a*mo  A  (2/2  <  £)]  D  0[a^me  A  (y  =  k)\ 

This  lemma  establishes  the  termination  of  P2  if  started  at  m0  with  y2  <  k. 

Proof  of  Lemma  B3: 

Similarly  to  the  proof  of  Lemma  A3  we  define  the  auxiliary  assertion 
E2(u)  :  [ atm 0  A  (y2  =  u)]  3  0[afme  A  (y2  =  fc)J. 

The  lemma  is  established  by  showing  that 

N  (u  <  A:)  D  E2{u). 

Analogously  to  A3  this  is  proven  by  descending  induction  on  u  <  k.  We  show  the  two  clauses: 

(а)  *  E2(k) 

and 

(б)  »  [(u  <  *)  A  /?2(«  +  1)]  3  i52(u). 

F’art  a  is  proved  by  observing  the  direct  path  from  mo  to  me  in  the  case  that  =  k.  Part  b  is 
proved  by  tracing  the  execution  from  mo  with  y2  =  u  <  k  to  mt  with  y2  =  v  +■  l  and  use  the 
induction  hypothesis  to  finally  guarantee  atmt  A  (2/2  =  k). 

The  details  of  the  formal  proof  arc  very  similar  to  those  of  A3.  | 

Lemma  BA:  *  O  atm€ 

This  statement  says  that  regardless  of  where  we  are  in  a  properly  initialized  execution  of  the 
program,  we  eventually  wind  up  at  m€. 

Proof  of  Lemma  BA: 

Similarly  to  the  proof  of  Lemma  AA  there  are  three  cases  to  be  considered: 


49 


case  a:  I\  already  at  me. 

case  b:  l\  currently  at  mo.  Then  we  have  by  Q\  that  y<i  <  k  and  hence  by  Lemma  773  we 
will  eventually  reach  me. 

case  c:  is  elsewhere.  Then  we  will  eventually  get  to  mo  by  Lemma  /72. 

The  formal  details  arc  similar  to  those  of  Lemma  Ai.  | 

Proof  of  Theorem : 

To  conclude  the  proof  of  the  theorem  we  observe  that: 

1.  N  tt  D  datte 

by  the  ALT  rule  since  has  no  exits. 

2.  £  OOatle 

by  Lemma  A\  and  1.  Similarly, 

3.  N  OC\at7ne 

using  Lemma  Hi  and  the  ALT  rule  at  me. 

A  temporal  consequence  of  2  and  3  is 

&  0\aUc  A  atme\.  | 
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